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Abstract 

In this paper, we study model-checking of linear-time properties in multi- valued 
systems. Safety property, invariant property, liveness property, persistence and 
dual-persistence properties in multi-valued logic systems are introduced. Some 
algorithms related to the above multi-valued linear-time properties are discussed. 
The verification of multi-valued regular safety properties and multi-valued co- 
regular properties using lattice- valued automata are thoroughly studied. Since the 
law of non-contradiction (i.e., a A -ifl = 0) and the law of excluded-middle (i.e., 
V -ifl = 1) do not hold in multi- valued logic, the linear-time properties introduced 
in this paper have the new forms compared to those in classical logic. Com- 
pared to those classical model checking methods, our methods to multi-valued 
model checking are more directly accordingly. A new form of multi-valued model 
checking with membership degree is also introduced. In particular, we show that 
multi- valued model-checking can be reduced to the classical model checking. The 
related verification algorithms are also presented. Some illustrative examples and 
case study are also provided. 

Keywords: Multi-valued transition system, linear-time property, invariant, 
safety, liveness, lattice-valued finite automaton. 



1. Introduction 

In the last four decades, computer scientists have systematically developed 
theories of correctness and safety as well as methodologies, techniques and even 
automatic tools for correctness and safety verification of computer systems; see 
for example [E, 27, 32]. Of which, model checking has become established as one 



of the most effective automated techniques for analyzing correctness of software 
and hardware designs. A model checker checks a finite-state system against a 
correctness property expressed in a propositional temporal logic such as LTL or 
CTL. These logics can express safety (e.g.. No two processes can be in the critical 
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section at the same time) and liveness (e.g., Every job sent to the printer will even- 
tually print) properties. Model-checking has been effectively applied to reasoning 
about correctness of hardware, communication protocols, software requirements, 
etc. Many industrial model checkers have been developed, including SPIN nTsll . 

sMviil. 

Despite their variety, existing model-checkers are typically limited to reason- 
ing in classical logic. However, there are a number of problems for which clas- 
sical logic is insufficient. One of these is reasoning under uncertainty. This can 
occur either when complete information is not known or cannot be obtained (e.g., 
during requirements analysis), or when this information has been removed (ab- 
straction). Classical model-checkers typically deal with uncertainty by creating 
extra states, one for each value of the unknown variable and each feasible combi- 
nation of values of known variables. However, this approach adds significant extra 
complexity to the analysis. Classical reasoning is also insufficient for models that 
contain inconsistency. Models may be inconsistent because they combine con- 
flicting points of view, or because they contain components developed by different 
people. Conventional reasoning systems cannot cope with inconsistency because 
the presence of a single contradiction results in trivialization - anything follows 
from A A -lA. Hence, faced with an inconsistent description and the need to per- 
form automated reasoning, we must either discard information until consistency 
is achieved again, or adopt a nonclassical logic. Multi-valued logic (mv-logic, in 
short) provides a solution to both reasoning under uncertainty and under inconsis- 
tency. For example, we can use unknown and no agreement as logic values. In 
fact, model-checkers based on three-valued and four-valued logics have already 
been studied. For example, [jvl] used a three- valued logic for interpreting results of 
model-checking with abstract interpretation, whereas [Il7n used four- valued log- 
ics for reasoning about abstractions of detailed gate or switch-level designs of 
circuits. For reasoning about dynamic properties of systems, we need to extend 
existing modal logics to the multi- valued case. Fitting [14] explores two different 
approaches for doing this: the first extends the interpretation of atomic formulae 
in each world to be multi-valued; the second also allows multi-valued accessibil- 
ity relations between worlds. The latter approach is more general, and can readily 
be applied to the temporal logics used in model checking [floll . We use different 
multi-valued logics to support different types of analysis. For example, to model 
information from multiple sources, we may wish to keep track of the origin of each 
piece of information, or just the majority vote, etc. Thus, rather than restricting 
ourselves to any particular multi- valued logic, our approach is to extend classical 
symbolic model-checking to arbitrary multi-valued logics, as long as conjunction, 
disjunction and negation of the logical values are well defined. M. Chechik and 
her colleagues have done many excellent work along this line, see [jv-H]. 

Our purpose is to develop automata-based model-checking techniques in multi- 
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valued setting. More precisely, the major design decision of this paper is as fol- 
lows: 

A lattice- valued automaton is adopted as the model of the systems. This is 
reasonable since classical automata (or equivalent transition systems) are the com- 
mon system models in classical model-checking. Linear-time properties of multi- 
valued systems are checked in this paper. They are defined to be infinite sequences 
of sets of atomic propositions, as in the classical case, with truth- values in a given 
lattice. The key idea of the automata-based approach to model-checking is that we 
can use an auxiliary automaton to recognize the properties to be checked, and then 
it is combined with the system under checking so that the problem of checking the 
safety or cu-properties of the system is reduced to checking some simpler (invari- 
ant or persistence) properties of the larger system composed by the systems under 
checking and the auxiliary automaton. A difference between the classical case 
and the multi-valued case deserves a careful explanation. Since the law of non- 
contradiction (i.e., fl A -ifl = 0) and the law of excluded middle (i.e., a V -ifl = 1) 
do not hold in multi-valued logic, the present forms of many classical properties 
in multi-valued logic must have some new forms, and some distinct constructions 
need to be given in multi- valued logic. 

As said in Ref. [2], the equivalences and preorders between transition sys- 
tems that "corresponding" to linear temporal logic are based on traces inclusion 
and equality, whereas for branching temporal logic such relations are based on 
simulation and bisimulation relations. That is to say, the model checking of a 
transition system TS which represents the model of a system satisfying a linear 
temporal formula (p, i.e., TS \= (p is equivalent to checking the inclusion relation 
Traces{TS) c P, where Traces{TS) is the trace function of the transition system 
TS and P is the temporal property representing the formula (p. In classical logic, 
we know that a <hii and only if a A -ifc = holds. Therefore, TS |= <p if and only 
if Traces{TS) fi -iP = 0. Then, instead of checking TS \= (p directly using the in- 
clusion relation Traces{TS) Q P, it is equivalent to the checking the emptiness of 
the language L(j?l) fi L(j?l-,^) indirectly, where is a Biichi automaton represent- 
ing the trace function of the transition system TS (i.e., L(yi) = Traces{TS)), and 
^-.^ is a Biichi automaton related to temporal property -Kp (i.e., L(yi-,^) = -iP). 

On the other hand, in mv-logic, fl < & is in general not equivalent to the 
condition a A-ib = 0, the classical method to solve model checking of linear-time 
properties does not universally apply to the multi-valued model checking. The 
available methods of multi-valued model checking still used the classical 
method with some minor correction. That is, instead of checking of TS \= P 
for a multi-valued linear time property P using the inclusion of the trace function 
Traces{TS) c P, the available method only checked the membership degree of the 
language L(^) riL(yi-,p), where yi-,p is a multi-valued Biichi automaton such that 
L(yi-,p) = -iP. As we know, these two methods are not equivalent in mv-logic. 
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Then, some new methods to apply multi-valued model checking of linear-time 
properties based on trace inclusion relations need to be developed. 

We provide new results along this line. In fact, we shall give a method of 
multi-valued model checking of linear-time property directly using the inclusion 
of the trace function of TS into a linear-time property P. In propositional logic, 
we know that we can use the implication connective — > to represent the inclusion 
relation. In fact, in classical logic, we know that the implication connective can be 
represented by conjunction and negation connectives, that is, a — > & = -ifl V fc. In 
this case, we know that a <bif and only if -ifl V = 1, if and only if a A -ifc = 0, if 
and only if a —> b = 1. Then a natural problem arises: how to define implication 
connective in multi-valued logic? By the above analysis, it is not appropriate to 
use the implication connective defined in the form a ^ b = -laV b to represent 
the inclusion relation in multi-valued logic. In order to use implication connective 
to reflect the inclusion relation in mv-logic, we shall use implication connective 



— » as a primitive connective in multi- valued logic as done in [1 161]. In this case, we 
will have that a <b is equivalent to — > & = 1 semantically. Then we can use im- 
plication connective to present the inclusion relation in multi-valued logic. This 
view will give a new idea to study linear-time properties in multi-valued model 
checking. Furthermore, we also show that we can use the classical model check- 
ing methods (such as SPIN and SMV) to solve the multi-valued model check- 
ing problem. In particular, some special and important multi-valued linear-time 
properties are introduced, which include safety, invariant, persistence and dual- 
persistence properties, and the related verification algorithms are also presented. 
In multi-valued systems, the verification of the mentioned properties have some 
different structures compared to their classical counterpart. In particular, since the 
law of non-contradiction and the law of excluded middle do not hold in multi- 
valued logic, the auxiliary automata used in the verification of multi-valued regu- 
lar safety property and multi-valued w-regular property need to be deterministic, 
whereas nondeterministic automata do suffice for the classical cases. 

There are at least two advantages of the method used in this paper. First, 
we use the implication connective as a primitive connective which can reflect the 
"trace inclusion" in multi-valued logic, i.e., a < b if and only if a — > & = 1. 
Second, since there is a well-established multi-valued logic frame using the im- 
plication connective as a primitive connective ([16]), there will be a nice theory of 
multi- valued model checking, especially, model checking of linear-time property 
in mv-logic. Of course, this approach can be seen as another view on the study of 
multi-valued model checking. 

The content of this paper is arranged as follows. We first recall some notions 
and notations in multi-valued logic systems in Section 2. In Section 3, the multi- 
valued linear-time properties are introduced. In particular, multi-valued regular 
safety property and multi- valued liveness property are introduced, then the reduc- 
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tion of model-checking of multi-valued invariant into classical one is presented. 
The verification of multi-valued regular safety property is discussed in Section 4. 
In Section 5, the verification of multi-valued cu-regular property is shown. Some 
general consideration about the multi-valued model checking is discussed in Sec- 
tion 6, in which truth- valued degree of an mv-transition system satisfying a multi- 
valued linear-time property is introduced. Examples and case study illustrating 
the method of this article are presented in Section 7. The summary, comparisons 
and the future work are included in the conclusion part. We place some proofs of 
the propositions in this article in the Appendix parts for readability. 

2. Multi-valued logic: some preliminaries 

Let us first recall some notions and notations of multi-valued logic, which can 
be found in the literature iBlfllilH^. 

We start by presenting ordered sets and lattices which play a very important 
role in multi- valued logic. 

Definition 1. A partial order, <, on a set / is a binary relation on / such that for all 
x,y,z el the following conditions hold: 

(1) (reflexivity) x <x. 

(2) (anti-symmetry) x < y and y < x implies x = y. 

(3) (transitivity) x < y and y <z implies x <z. 

A partially ordered set, (l, <), has a bottom (or the least) element if there exists 
G I such that < x for any x e I. The bottom element is also denoted by -L. 
Dually, (/, <) has a top (or the largest) element if there exists 1 G I such that x < 1 
for all X G Z. The top element is also denoted as T. 

Definition 2. A partially ordered set, (I, <), is a lattice if the greatest lower bound 
and the least upper bound exist for any finite subset of I. 

Given lattice elements a and b, their greatest lower bound is referred to as meet 
and denoted a Ab, and their least upper bound is referred to as join and denoted 
V fc. By Definition [21 a lattice (I, <) has a top element 1 and a bottom element 0. 

Remark 1. A complete lattice is a partially ordered set, {I, <), in which the great- 
est lower bound and the least upper bound exist for any subset of I. For a subset X 
of /, its greatest lower bound and least upper bound are denoted by /\X or \/ X, 
respectively. 

Definition 3. A lattice I is distributive if and only if (in short, iff) one of the 
following (equivalent) distributivity laws holds, 

X A (y V z) = (x A y) V (x A z), 

X V (y A z) = (x V y) A (x V z). 



5 



The join-irreducible elements are crucial for the use of distributive lattices in 
this article. 

Definition 4. Let I be a lattice. Then x e I is called join-irreducible if x and 
X = yV z implies x = y or x = z for all y, z G I. 

If Z is a distributive lattice, then a non-zero element x in I is join-irreducible 
iff X < y V z implies that x < y or x < z for any y,z el. We use to denote 
the set of join-irreducible elements in I. It is well-known that / is join-irreducible 
elements generated if lis a finite distributive lattice, that is, for any a G I, there 
exists a subset A of such that a = \/ A. In other words, every element of I 
can be written as a join of finite join-irreducible elements. 

Furthermore, we present the definition of de Morgan algebra, also called quasi- 
Boolean algebra as in [9] . 

Definition 5. A de Morgan algebra is a tuple {I, <, A, V, -i, 0, 1), such that (l, < 
, A, V,0, 1) is a distributive lattice, and the negation -i is a function / — > I such 
that X < y implies -ly < -ix and -i-ix = x for any x,y E. I, -ix is also called the 
(quasi-)complement of x. 

In a de Morgan algebra, the de Morgan laws hold, that is, -i(x V y) = -ix A -ly 
and -i(x A y) = -ix V -ly. As well known, a Boolean algebra is a de Morgan 
algebra B with the additional conditions that for every element x G B, 

Law of Non-Contradiction: x A -ix = 0. 

Law of Excluded Middle: x V -ix = 1. 

Example 2. In Fig. 1, we present some examples of de Morgan algebras, where 
B2, 13 and I5 are in linear order. 

(1) The lattice B2 in Fig.l, with -lO = 1 and -il = 0, gives us classical logic. 

(2) The three- valued logic Z3 is defined in Fig.l, where -iF=T, -iM=M and 
^T=F. 

(3) The lattice B2 X B2 in Fig. 1 shows the product algebra, where -i(0, 0) = 
(1, 1), -(1, 0) = (0, 1), -(0, 1) = (1, 0) and ^(1, 1) = (0, 0). This logic can be used 
for reasoning about disagreement between two knowledge sources. 

(4) The lattice I5 in Fig. 1 shows a five-valued logic and possible interpretations 
of its value as, T=Definitely true, L=Likely or weak true, M=Maybe or unknown, 
U=Unlikely or weak false, and F=Definitely false, where -iT=F, -iL=U, -iM=M, 
^U=L, and ^F=T. 

(5) The lattice I3 X I3 in Fig.l shows a nine-valued logic constructed as the 
product algebra. Like B2 X B2, this logic can be used for reasoning about disagree- 
ments between two sources, but also allows missing information in each source. 
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B2 h B2 X B2 h h X ^3 



Figure 1: Some lattices 

In the following, we always assume that / is a de Morgan algebra, and it is also 
called an algebra. 

Given an algebra I, now we can define multi-valued sets and multi-valued re- 
lations, which are sets or relations whose membership functions are multi- valued 
(take values in /). Multi-valued sets and multi- valued relations are basic data 
structures in multi-valued model checking introduced later in this paper. 

Definition 6. Given an algebra / and a classical set X, an l-valued set on X, re- 
ferred as /, is a function X — > / 

When the underlying algebra I is clear from context, we refer to an /-valued 
set just as multi-valued set (mv-set, in short). For an mv-set / and an element x 
in X, we will use f{x) to define the membership degree of x in X. In the classical 
case, this amounts to representing a set by its characteristic function. 

Some operations on the mv-sets are defined in the following manners: 

mv-intersection: (/ Pi g){x) = f{x) A g[{x). 

mv-union: (f U g){x) = f{x) V ^{x). 

set inclusion: f Qg ^ Vx.(/(x) < g{x)). 

extensional equality: f = g - Vx.(/(x) = g{x)). 

mv-complement: = ->{f{x)). 

Definition 7. For a given algebra /, an l-valued relation R on two sets X and Y is 
an /-valued set on X X Y. 

For any /-valued set / : X — > /, and for any m el, the m-cut of / is defined as 
a subset /;„ of X, where 
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fm = [xe X\f{x) > m}. 
The support of /, denoted supp{f), is a subset of X, where 

suppif) = {xe X\fix) > 0}. 

Then we have a resolution of / by its cuts presented in the following proposi- 
tion. 

Proposition 3. For any l-valued set f : X ^ I, we have 

f^UmeimAf„, 

where m A f„ is an l-valued set defined as m A fm{x) = m ifx G fm and in other 
cases. Furthermore, if I is finite, then 

f = Ummi) ^ ^ U 

The verification is simple, we omit its proof here. As a corollary, we have the 
following proposition. 

Proposition 4. Given two l-valued sets f,g:X^l, f<g if and only if fm Q 0m 
for every m E I. Furthermore, if I is finite, f < g if and only if fm £ gfmfor every 
m e //(/). 

With these preliminaries, we can introduce some simple fact about multi- 
valued logic (mv-logic, in short). 

Similar to that of classical first-order logic, the syntax of multi-valued or l- 
valued logic has three primitive connectives V (disjunction), -> (negation) and — > 
(implication), and one primitive quantifier 3 (existential quantifier). In addition, 
we need to use some set-theoretical formulas. Let £ (membership) be a binary 
(primitive) predicate symbol. Then c and = (equality) can be defined with G as 
usual. The semantics of multi-valued logic is given by interpreting the connectives 
V and -> as the operations V and -i on /, respectively, and interpreting the quantifier 
3 as the least upper bound in /. Moreover, the truth value of set-theoretical formula 
X e A is [x e A] = A{x). In the multi-valued logic, 1 is the unique designated 
truth value; a formula cp is valid iff {(p\ - 1, and denoted by |=/ cp. 

In order to distinguish the symbols representing languages and the symbols 
representing lattices, we use symbol / to represent a lattice. We use the symbols 
a, b, c, d, k to represent the elements of /. 

In this article, we only use multi-valued proposition formulae. We give their 
formal definition here. 

Definition 8. Given a set of atomic proposition AP, multi-valued proposition for- 
mula (mv-proposition formula, in short) generated by AP is defined as in BNF 
form: 

(p := A\r\(pi V (p2\(pi (p2h(p, 
where r e I and A e AP. 

The set of mv-proposition formulae is denoted by / - AP. 
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The induced operation on mv-proposition formulae are defined as follows, 

For any valuation of atomic propositions v : AP — > /, the truth-value of an mv- 
proposition formula <p under v is an element in I, denoted v{(p), which is defined 
inductively as follows, 

v{(p) = v{A) if (p = A G AP; 

v{(p) = r if (p = r e I; 

v{(pi V (P2) = v{(pi) V v{(p2y, 

v{^(p) = -nvicp); 

v{(pi (p2) = v{(pi) v{(p2) (see its definition as follows). 

To define the semantics of the implication in Definition [8l it needs the algebra 
I has an implication operator on it. There are at least two methods to determine the 
implication operator. First, it can be defined by other primitive connectives in mv- 
logic system. For example, we can use a— >fc = -iflV&asa material implication 
to define the implication operator. In fact, in Ref.Jsl, 0], the implication operator 
is chosen in this form. The second choice of implication operator is chosen — > 
as a primitive connective in mv-logic which satisfies the condition = ! 

whenever a < b. In this paper, we shall use the second method to define the 
implication operator. Then we need I to be a residual lattice or Heyting algebra 
defined as follows. 

Definition 9. Let I be a lattice. For any a,b E. I, if there is an element a ^ b ml 
satisfies the following condition, 

X < a ^ b iff X A a < b, 
for any x G Z, then / is called a residual lattice or Heyting algebra, and the operator 
— > is called the implication or the residual operator in I. 

For any complete lattice satisfying the infinite distributive law, i.e., 

X^iViel^i) = WielixAai), 

I is a residual lattice, and the implication operator is defined as follows, 
a^b = V{c G A c < b]. 

For example, if I is in linear order, then a^b = l if a<b and a ^ b = b 
if a > if lis a Boolean algebra, then a ^ b = -^a y b. In particular, finite 
distributive lattice is a residual lattice. 

In this case, the algebra I in this paper is also required to be a residual lattice, 
i.e., there is an additional implication operator — > in I satisfying a — > & = 1 iff 
a <b. This is the main difference of our method from those used in Iv-il]. We 



shall give some analysis why we use the implication operator in the second form 
in Section 6. 

For a set of proposition formulae O c AP, the characterization function of O 
is a valuation v on AP such that v{A) = 1 if A G O and otherwise. In this case, 
we write v{(p) as (p(0). 
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Multi-valued temporal logic formulae have also been defined in some litera- 
tures. For further reading, we refer to 

3. Linear-time properties in multi-valued systems 

In this section, we shall introduce several notions of linear-time properties in 
mv-logic, including multi-valued safety property, multi-valued invariant, multi- 
valued persistence property, dual multi-valued persistence property, and multi- 
valued liveness property. As the started point, let us first give the notion of multi- 
valued transition system, which is used to model the system under consideration. 

3.1. Multi-valued transition systems and their trace functions 

Transition systems or Kripke structures are the key models for model check- 
ing. Corresponding to multi-valued model checking, we shall have notion of 
multi-valued transition systems, which is defined as follows (for the notion of 
multi-valued Kripke structures, we refer to 

Definition 10. A multi-valued transition system (mv-TS, for short) is a 6-tuple 
TS = {S,Act,^,I,AP,L), where (1) S denotes a set of states; (2) Act is a set 
of the names of actions; (3) — >c S X Act X S X I is a transition relation; (4) 
J : S — > lis mv-initial states; (5) AP is a set of (classical) atomic propositions, 
and (6) L : S — > 2"^^ is a labeling function. 

TS is called finite if S, Act,and AP are finite. 

We always assume that an mv-TS is finite in this paper. 

Here, the labeling function L is the same as that in classical case. In Ref.|0], 
it required that the labeling function was also multi-valued, that is, L is a function 
from states set S into l^^, the later set denotes all /-valued sets of AP, also called 
l-powerset of AP. We shall show that they are equivalent as trace functions in 
Appendix I. 

For convenience, we use 7](s, a, s') = r to represent (s, a, s' , r) G— Intuitively, 
7](r, a, r') stands for the truth value of the proposition that action a causes the cur- 
rent state r to become the next state r'. The intuitive behavior of an mv-transition 
system can be described as follows. The transition system starts in some initial 
state So S J (in multi- valued logic) and evolves according to the transition relation 
— >. That is, if s is the current state, then a transition {s,a,s',r) G— > originating 
from s is selected in mv-logic sense and taken, i.e., the action a is performed and 
the transition system evolves from state s into the state s' with truth value r. This 
selection procedure is repeated in state s' and finishes once a state is encountered 
that has no outgoing transitions. (Note that I may be empty; in that case, the 
transition system has no behavior at all as no initial state can be selected.) It is 
important to realize that in case a state has more than one outgoing transition, the 
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next transition is chosen in a purely mv-logic fashion. That is, the outcome of this 
selection process is known with some truth-value prior, and, hence, the degree 
with which a certain transition is selected is given prior in mv-logic sense. 

Let TS — {S,Act, -^,I,AP,L) be a transition system. A finite execution frag- 
ment (or a ran) q of TS is an alternating sequence of states and actions ending 
with a state 

Q = SoaiSia2...a„s„ such that T](s,,a,+i,s,+i) = r,+i for all <i <n, 
where n > 0, with truth value z;(^) = /(sq) A ri A r2 A • • • A r„. We refer to n as 
the length of the execution fragment g. An infinite execution fragment p of TS is 
an infinite, alternating sequence of states and actions: 

p = SoaiSia2... such that r/(s„ a/+i,S;+i) = Ti+i for all < i, 
with truth value v{p) = 7(so) A ri A r2 A • • • = /\,>q r,-, where Tq = 7(so). 

For a finite executing fragment g or an infinite execution fragment p of TS, 
the corresponding finite sequence or infinite sequence of states, denoted n{g) = 
SqSi • • • s„ or 7i(p) = SqSi ■ ■ ■ , respectively, is called a path of TS corresponding to 
g or p. 

In general, an infinite path or a computation of an mv-TS, TS, is an infinite 
sequence of states (i.e., SqSi • • • ) such that Sq & I and rj(s,-, a,, s,+i) > for some 
ai. In order to describe an infinite sequence of states, we will use the function 
71 : N — > S defined as: n{i) is the i-th state in the sequence SqSi • • • . In the 
following, 71 will denote a path of mv-TS and 7i[f] will denote the actual sequence 
of states, that is, 7i[f] = n{i)n{i + 1) • • • . We use n to denote a finite fragment of 
n. 

Let TS = {S,Act, -^,I,AP,L) be an mv-TS, then for each s 6 S, 
PathsTsis) = {ti : N ^ S|(7i(0) = s){\/i e N){3ai e Act){ri{n{i),ai,n{i + 
1)) > 0)}, 

which is the set of all infinite paths starting at state s. 

ForT c S,we-wntePathsTs{T) = {JseTP^^^^Tsis)- Let Paths{TS) = PathsrsiS). 

Also, we define Si„f - {s e S\PathsTs{s) 0}- If the transition relation — > is 
total, that is, for all s € S, there exists a G Act and s' G S such that r[{s, a, s') > 0, 
then we also call this TS without terminal state. In this case, S^/ = S. 

A trace is the sequence of labeling (or observation) corresponding to a path n, 
L(7t(0))L(7z(1)) ■ ■ ■ which will be again denoted by L{n) or trace{n). The defini- 
tion of the trace as function will be the composition of the map L and n, i.e., the 
map L o 71 : N ^ 2^^. Let Lang{TS) = [L{n)\n G Paths{TS)]. The l-language 
or multi-valued language (mv-language, in short) of the transition system TS over 
2^^, which is also called the multi-valued trace function of TS, is defined as a 
function from Lancj{TS) into I as follows, 

Traces{TS){L{n)) = V{^(p)l the state sequence of p is n}. 
In fact, Traces{TS) registers sequence of the set of atomic propositions L{n) that 
are valid along the execution with truth value Traces{TS){L{n)). 
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Then we define a multi-valued trace function Traces{TS) : (2^^)^ — > /, which 
is a multi-valued linear-time property over 2^^. 

Definition 11. An mv-linear-time property (LT-property, in short) over the set of 
atomic propositions AP is an mv-subset of (2^^)", i.e., P : (2/^^)'^ — > /. 

Mv-LT properties specify the traces that an mv-TS should exhibit. Informally 
speaking, one could say that an mv-LT property specifies the admissible (or de- 
sired) behavior of the system under consideration. 

The fulfillment of an mv-LT property by an mv-TS is defined as follows. 

Definition 12. For an mv-TS, TS, and an mv-linear-time property P,TS \^ P if 
Traces{TS) c P. 

In mv-logic, even if TS \= P does not hold, i.e., Traces{TS) Q P does not hold, 
we still have membership degree of the inclusion relation, denoted IMC{TS, P), 
which presents the degree of the inclusion of Traces(TS) into P. The study of 
1MC{TS, P) is more general complex, we leave it in Section 6. 

In the following, we will define several mv-linear-time properties including 
safety and liveness properties. 

3.2. Multi-valued safety property 

Safety properties are often characterized as "nothing bad should happen". For- 
mally, in classical case, safety property is defined as an LT property over AP such 
that any infinite word o where P does not hold contains a bad prefix. Since it is 
difficult to define the notion of bad prefix in multi- valued logic, we use the dual 
notion of good prefixes to define multi-valued safety property here. Of course, 
they are equivalent in classical case. We need I to be complete in the following. 

Definition 13. For an mv-linear-time property P : (2'^^)'^ — > /, define an mv- 
language GPrefiP) : (2^^)* ^ I as, 

GPref{P){6) = \/{Pieo)\a e {2^^} 
for any 6 e (2"^^)*, which is called the good prefixes of P. 

P is called a safety property if 

/\{GPref{P){d)\d e Pref{a)} < P{a) 
for any o e {2'^^)'^, where Pref{o) = {0 G {2^y\o = do' for some o' e (2'^^)'^} 
is called the prefix set of a. 

Informally, mv-safety property can be characterized as "anything always good 
must happen", which is equivalent to the saying "nothing bad should happen". 

Mv-safety property can be characterized by closure operator which is formally 
defined as follows. 
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Definition 14. For an mv-linear-time property P, the closure Closure{P) of P is 
an mv-linear-time property over (2'^^)'" defined as follows, 

ClosureiP){o) = Te(2^pr P{d'^)\d e Pref{a)}, 
for any o e (2^^)'^. 

By the definition of good prefixes, the following equality holds for any a, 
Closure{P){o) = MGPref{P){d)\d e Pref{o)}. 

Proposition 5. For mv-linear-time properties P,Pi and P2, we have (1) P Q 
Closure{P), (2)IfIm{Pi) andlm{P'^ are finite subsets of I, then Closure{PiUP2) = 
Closure{Pi) U Closure{P2), and (3) Closure{Closure{P)) - Closure{P). 

The proof is placed in Appendix II. 

Proposition 6. For an mv-linear-time property P, P is a safety property if and 
only ifP = Closure{P). 

The proof is placed in Appendix IE. 

Another useful characterization of mv-safety property using finite trace func- 
tion is as follows. 

Theorem 7. Assume that P is a safety property and TS is an mv-TS, then TS \= P 
if and only if Traces fin{TS) Q GPref{P), where Traces fin{TS) : (2^^)* I is 
defined by, Tracesfin{0) = V{rraces(TS)(0T)|T G {l^^Y} for any d G (2^^)*. 
Traces fin{TS) is also called the finite trace function ofTS. 

Proof: "If" part: We show Traces{TS) |= P by contradiction. Assume that 
Traces{TS) ^ P, then there exists a G (2^^)'" such that Traces{TS){a) ^ P(cr). 
Since Traces{TS) (a) < Traces fjn{TS){d) for any 6 G Pref{o), it follows that 
Traces fin {TS){6) ^ P(a) for any 6 G Pref{o). On the other hand, since P is safe, 

we have /\QePref(a) 

GPref{P){e) < P{o). Thus, it follows that Traces{TS){o) i 
AeePrefia) GPref{P){d). Then there is G Pref{o) satisfying that Traces{TS) 
(a) i GPref{P){9). By assumption. Traces fin{TS) c GPref{P), it follows that 
Traces{TS){a) ^ Traces fin{TS){9), a contradiction occurs. 

"Only if" part: Assume that the relation Traces fi„{TS) Q GPref{P) does not 
hold. Then there exists G (2^^)* such that Traces fi„{TS){d) i GPref{P){d). 
Since GPref{P){e) = \J[P{eT)\T G (2^^)^^} = \J{P{o)\e G Pref{o)}, it follows 
that Traces fi„{TS){9) ^ P{a) for any o G (2^^)^^ satisfying 9 G Pref{o). Noting 
that Traces fi„{TS){0) = \/{Traces{TS){o)\e G Pref{o)}, then there is a G (2^^)^^ 
satisfying 6 G Pref{o) such that Traces{TS){o) ^ P{o). This contradicts with the 
assumption that TS |= P. The proof is completed. □ 

Let us introduce an important mv-safety property, which is called mv-invariant 
defined in the following manner. 
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Definition 15. Let (p be an mv-proposition formula generated by atomic proposi- 
tions in AP. A property P : (2"^^)^ — > / is said to be an invariant with respect to 
cp, if P{AoA,A2 ■■■)= Afeo (pi^i) for any A0A1A2 ■ ■ ■ G (2-^^-. 

To make clarity, if P is an invariant with respect to (p, we also write P as 
inv{(p). 

If P is an invariant with respect to (p, then GPref{P) : (2"^^)* — > / is defined 
by, GPref{P){AoA, ■ • • A,) = y{P{AoA, ■ • • A,t)|t g (2^0"} = VI Ato <P(^0 A 
P(t)|t g (2^0n = Aio'P(^0 A V{P(t)|t g (2^0"}. Hence, SeePref(a)GPref 
{P){0) = p{o) A \/{P{t)\t g (2^^)^^} < P{o) for any a G (2'^^)'". Therefore, an 
invariant must be a safety property. 

Corollary 8. Mv-invariant is an mv-safety property. 

For an mv-invariant P = inv{(p), and a finite mv-TS, TS = (S, Aci, — I, AP, L), 
we give an approach to reduce the model checking TS |= inv{(p) into several clas- 
sical model checking of invariant properties. 

For the given finite mv-TS, TS = {S,Act, -^,1,AP,L), let X = Im{l) U 7m(T]) 
and li =< X >, that is, /i is the subalgebra of / generated by X, then /i is finite 
as a set ([28]). It is obvious that the behavior of TS only takes values in li. For 
this reason, we can assume that I = Zi is a finite lattice in the following section. 
As just said in Section 2, every element in I can be represented as a join of some 
join-irreducible elements of I. 

For the given transition system TS = {S,Act,^,I,AP,L) and for any m G 
write TSm = {S,Act,^,n,Im,AP,L), where -^m is the m-cut of — i.e., 
— ^m= {is,a,s')\ri{s,a,s') > m] and Im is the m-cut of 1. Then TSm is a classical 
transition system. By Proposition [3l we have 

Traces{TS) = [J„ie}i{i) ^ A Traces{TSm)- 

For an mv-proposition formula (p generated by atomic proposition set AP, 
if we take (p,n = VIA G 2^^\(p{A) > m}, then (p,„ is a classical proposition 
formula. The classical safety property corresponding to (p,„, denoted inv{(p,„), 
is, inv{(pm) = {AqAi ■ ■ ■ |Vz.A, |= (p„,} = {AqAi • ■ • |Vz.(p(A,) > m}. Noting that 
inv{(p)m = {AqAi • ■ • \inv{(p){AoAi ■■■) > m} = {AqAi ■ ■ ■ | A,>o <p(AO > m} = 
{AqAi • • • |Vz.(p(A;) > m}, thus inv{(p)m = inv{(pm)- In this case, by Proposition[3l 
we have 

inv{(p) = \Jmejm ^ A inv{(p)m = Ume/7(/) ^ A inv{(pni)- 

By Proposition 111 we have the following observations: 

TS 1= inv{(p) iff Traces{TS) Q inv{(p) iff for all m G /J(Z), Traces{TS)m Q 
inv{(p)m, iff for all m G JI{1), TSm N inv{(pm), iff for all m G //(/), s |= (p,„ for 
all states s G Reach{TSm), iff for all m G //(/), L(s) |= (p^ (in proposition logic) 
for all states s G Reach{TSm), where Reach{TSm) denotes all the states reachable 
from the initial state in Im- 
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There are classical algorithms based on depth-first or width-first graph search 
to realize TS,„ |= inv{(pm) in Ref.[Q], and since JI{1) is finite, then we can re- 
duce the mv-model checking TS \= (p into finite (in fact, at most times of 
classical model-checking. 

Remark 9. The algorithm that implements the above reduction procedure is placed 
in Algorithm 1. The classical model checker of invariant properties is applied at 
most 1/1(1)1 times. It might seem that the worst running time occurs when the lat- 
tice / is in linear order, but even in that case we can optimize by performing binary 
search. That is, we first check the element in the middle of the lattice and then 
we recurse on the upper and lower half according to the result. In this case, the 
algorithm will apply the model checker 0(log{\}I{l)\)) times. 



Algorithm 1: (Algorithm for the multi- valued model checking of an invariant) 
Input: An mv-transition system TS and an mv-proposition formula cp. 
Output: return true if TS \= inv{(p). Otherwise, return a maximal element x 
plus a counterexample for (p^. 

Set A := }I{1) (*The initial A is the set of join-irreducible elements of I*) 
While (A 9^ 0) do 

X < — the maximal element of A {*x is one of the maximal element of A*) 
if TSj \= inv{(pj), (*check if TS^ \= inv{(px) (using classical algorithm) is 
satisfied *) 
then 

C := {y eA\y < x} 
A := A-C 
else 

Return x plus a counterexample for (p^ (*if TSx ^ inv{(px), then there is a 
counterexample for (px*) 
fi 
od 

Return true 



3.3. Multi-valued liveness properties 

Compared to safety properties, "liveness" properties state that something good 
will happen in the future. Whereas safety properties are violated in finite time, 
i.e., by a finite system run, liveness properties are violated in infinite time, i.e., 
by infinite system runs. Related to multi-valued safety property, we have multi- 
valued liveness property here. 
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Definition 16. An mv-linear-time property P : (2'^^)^'' — > I is called a liveness 
property if supp{Closure{P)) = (2^^)'^. 

Similar to classical liveness property, we have the following proposition link- 
ing mv-safety and mv-liveness. 

Proposition 10. For any mv-linear-time property P : (2^^^)^' — ^ I, there exist 
mv-safety property Psafe and mv-liveness property Pu^e such that P = Psafe ^ Puve- 

Proof: Infact,ifweletPs«/f = C/oswre(P), and P^^ = PiJ{{2^^Y-supp{Closure{P))), 
then P = Psafe n Piive and supp{Closure{Piijje)) = (2^^)'^. □ 
In the following, let us give some useful mv-liveness property used in this 
paper. 

Definition 17. Let (p be an mv-proposition formula generated by atomical propo- 
sition formulae AP, then the mv -persistence property over AP with respect to <p 
is an mv-linear time property P : (2'^^)'" — > I defined by, 
P(AoAi---) = V,>oA/>,<p(A). 

Formula (p is called a persistence (or state) condition of P. To emphasize the 
formula (p, P is also denoted by pers{P), i.e., 
pers{(p){AQAi ■■■) = V,>o A;>,(p(A)- 

Since we will use temporal modalities to characterize the mv-persistence prop- 
erty, let us recall the semantics of two temporal modalities ("eventually", some- 
times in the future) and □ ("always", from now on forever) which are defined as 
follows, for AqAi ■ ■ ■ G (2'^^)^'', and a proposition formula -[p generated by atomic 
formulae AP, 

AoAi---hOi/^ iff3;>0.Ayhi/^; 

AoAi • • • h □i/' iff V; > O.Ay \= ip; 

AoAi ■■■\= nO^p iff Vz > 0.3; > i.Aj \= ^p; 

AqAi ■■■\= Onxp iff 3i > O.V; > i.Aj \= ip. 

Now we give a characterization of mv-persistence property by its cuts. As the 
cut of pers{(p), it is readily to verify that, for any m G 

pers{(p)ni = pers{(p„,), 
where pers{(pm) is the classical persistence property w.r.t. proposition formula (pm 
generated by atomic propositions AP, i.e., 

pers{(pm) = {AoAi ■ ■ ■ G ((2^^)-|3z > O.V; > i.Aj \= cp^}. 

Using the temporal operators, the above equality can be written as 

pers{(pm) = {oe {{2^^T'\o \= On<p,„}. 

By Proposition [3l we have the following resolution: 

persiq)) = Umemi) ^ A pers{cp,n). 

Then for an mv-TS, TS, by Proposition IH we have. 
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TS \= pers{(p) iff Traces{TS) Q pers{(p) iff Vm G JI{1), Traces{TS)„i Q 
pers{(p)m = pers{(pm), iff Vm g }I{1), TSm \= pers{(pm)- 

Then the mv-model checking TS \= pers((p) can be reduced to at most 
times of classical model checking TSm \= P^^s{(pm) for any m G JIG)- There are 
a nested depth-first search algorithm to verify TSm \= psTs{<pm) (M\)- Then the 
mv-model checking TS \= pers((p) can be reduced to classical model checking. 

We present the above reduction procedure in Algorithm 2. For simplicity, we 
only write the different part of Algorithm 2 compared to Algorithm 1 . Remark |9] 
is also applied to Algorithm 2. 



Algorithm 2: (Algorithm for the multi-valued model checking of a persistence 
property) 

Input: An mv-transition system TS and an mv-proposition formula (p. 
Output: return true if TS \= pers{(p). Otherwise, return a maximal element x 
plus a counterexample for (px- 

Replace TSj \= inv{(px) by TS^ \= pers{<px) in the body of Algorithm 1. 



Mv-persistence property pers{(p) is an mv-liveness property. In fact, by Propo- 
sition [5] (2), Closure{pers{(p)) = ClosureiUj^^mi^m A pers{(pm)) = Ume//©'^^ 

Closure{pers{(pm)) = Umejmm A (2^0" = (2''0"- 

The dual notion of mv-persistence property is called mv-dual persistence prop- 
erty, which is defined as follows. 

Definition 18. Let (p be an mv-proposition formula generated by atomical propo- 
sition formulae AP, then the mv-dual persistence property over AP with respect 
to (p is an mv-linear time property P : — » / defined by, 
P(AoAi---) = A/>oV/>,<p(A;). 

Formula cp is called a dual-persistence (or state) condition of P. To emphasize 
the formula cp, P is also denoted by dpers{P), i.e., 
dpersi(p){AoA^ ■■■) = A,>o V;>/ <p(A;). 

The dual of pers and dpers is shown in the following proposition, which can 
be checked by a simple calculation. 

Proposition 11. dpers{(p) = -ipers{-i(p). 

Similarly to the property of pers{(p), we have some observations on the prop- 
erty of mv-dual persistence. 

As the cuts of dpers{(p), it is readily to verify that, for any m G //(/), 

dpers{(p)m = dpers{(pm), 
where dpers{(pm) is the dual of the notion of persistence property w.r.t. proposition 
formula (pm generated by atomic propositions AP, i.e.. 
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dpers{(pj = {AoA, ■ • ■ 6 {2^y\\/i > 0.3; > i.Aj h <Pm}. 

Then dpers{(p,n) = -ipers(-i(p,„). Using the temporal operators, we have 

dpers{(p,n) = {oe (2-^^^ |cj \= nO(pm}. 

By Proposition [3l it follows that 

dpers{(p) = Ume/i(o ^ A dpers{(pm). 

Then for an mv-TS, TS, by Proposition IH we have, 

TS 1= dpers{(p) iff Traces{TS) Q dpers{(p) iff Vm G /7(Z), Traces{TS)m Q 
dpers{(p)m = pers{(pm), iff Vm G /7(l), TSm \= dpers{(pm)- 

Then the mv-model checking TS \= dpers{(p) can be reduced to at most 
times of classical model checking TSm \= dpers{(pm) for any m G As is 

well known, to check TS„, |= dpers{(pm), it suffices to analyze the bottom strongly 
connected components (BSCCs) in TSm as a graph, which will be done in linear 
time. That is to say, AqAi ■ ■ ■ \= n<>B for a state subset B c S, iff T n B ^ for 
each BSCC T that is reachable from Sq, where L(so) = Aq and Sq G J,„. For the 
detail, we refer to Ref.[2]. 

We present the above reduction procedure in Algorithm 3. Remark |9] is also 
applied to Algorithm 3. 



Algorithm 3: (Algorithm for the multi-valued model checking of a dual- 
persistence property) 

Input: An mv-transition system TS and an mv-proposition formula <p. 

Output: return true if TS \= dpers{(p). Otherwise, return a maximal element x 
plus a counterexample for (p^. 

Replace TS^ \= inv{(px) by TS^ \= dpers{(px) in the body of Algorithm 1. 



4. The verification of mv-regular safety property 

In this and the next section, we shall give some methods of model checking of 
multi- valued safety properties. We shall introduce an automata approach to check 
mv-regular safety property by reducing it to checking some invariant properties 
of certain large system. In order to do this, let us first introduce the notion of fi- 
nite automaton in multi-valued logic systems, which are also called lattice- valued 



finite automaton in this paper, please refer to Ref.[|29l-l3 111 



Definition 19. An l-valued finite automaton (/-VFA for short) is a 5-tuple ^ — 
(Q, L, 6,I,F), where Q denotes a finite set of states, Z a finite input alphabet, and 
6 an Z-valued subset of Q X E X Q, that is, a mapping from Q X Z, X Q into I, and 
it is called the l-valued transition relation. Intuitively, 6 is an l-valued (ternary) 
predicate over Q, Z and Q, and for any p,q e Q and a G L, 6{p, o, q) stands for 
the truth value of the proposition that input o causes state p to become q. I and F 
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are /-valued subsets of Q; that is, a mapping from Q into /, which represent the 
initial state and final state, respectively. For each q e Q, I{q) indicates the truth 
value (in the underlying mv-logic) of the proposition that q is an initial state, F{q) 
expresses the truth value of the proposition that q is a finial state. 

The language accepted by an /- VFA yi, which is an mv-language L{^) : E* — > 
I, is defined as follows, for any word w = O1O2 ■ ■ - Ok ^T.*, 

L{:H)iw) = VU(^?o) A Ai"o diqi,aM,qM) A Fiqk)\qi e Q for any i < k}. 

For an /-language / : Z* — > Z, if there exists an Z-VFA ^ such that / = L(yi), 
then / is called an l-valued regular language or mv-regular language over L. 



Definition 20. (c.f.[|29(]) An l-valued deterministic finite automaton (l-VDFA for 
short) is a 5-tuple ^ = (Q, E, 6, (jo/f)' where Q, E and F are the same as those 
in an l-valued finite automaton, qo e Q is the initial state, and the lattice-valued 
transition relation 6 is crisp and deterministic; that is, 5 is a mapping from Q X E 
into Q. 

The language accepted by an Z-VDFA ^ has a simple form, that is, for any 
word w = O1O2 • • • cr;c G E*, let qi+i = 6{qi, cr,+i) for any <i <k-l, then 
imiw) = Fiqu). 

Note that our definition of l-VDFA differs from the usual definition of a deter- 
ministic finite automaton only in that the final states form an Z-valued subset of Q. 
This, however, makes it possible to accept words to certain truth degrees (in the 
underlying mv-logic), and thus to recognize mv-languages. 



Proposition 12. (I\2^3l\]} l-VFA and l-VDFA are equivalent. 



For an mv-safety property P, if its good prefixes GPref{P) is an mv-regular 
language over 2"^^, then P is called an mv-regular safety property. For an mv- 
regular safety property P, we assume that ^ is an l-VDFA accepting the good 
prefixes of P, i.e., L(^) = GPref{P). This is a main difference with the tradi- 
tional setting of transition systems where nondeterministic (finite-state or Biichi) 
automata do suffice. The main reason is that we do not have the following impli- 
cation in multi-valued logic, 

A<B iff A A = 0. 
So we need to verify A < B directly instead of checking A A -iB = as in classical 
case. 

Now we give an approach to construct a new mv-TS from an mv-TS and an 
/-VDFA. 

Definition 21. Let TS = {S,Act, -^,I,AP,L) be an mv-transition system without 
terminal states and ^ = {Q,2'^^,6,qo,F) be an /-VDFA with alphabet 2^^, the 
product transition system TS (S)^ is defined as follows: 
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TS (8) ^ = (S', Act, r, AP', U), 
where S' = S X Q, — is the smallest relation defined by the rule: if (s, a, t, r) G— > 
(i.e., 7](s, a, t) = r) and b{q, L{t)) = p, then ((s, q), a, {t, p), r) e^' (i.e., r]'(((s, q), a, 
{t,p)) = r); I'iso^q) = I{so) if 6{qo,Liso)) = q; AP' = Q and L' : S' ^ 2^^' is 
given by L'(s,i?) = {r?}. 

Then for any m G JI{1), it can be readily verified that (TS (8) J?l)m = TSm <S) 
Since ^ is deterministic, TS (8) J?l can be viewed as the unfolding of TS where 
the automaton component q of the state (s, q) in TS (8) ^ records the current state 
in M for the path fragment taken so far. More precisely, for each (finite or infinite) 
path fragment n = SqSi ■ ■ ■ in TS, there exists a unique run q^qi ■ ■ ■ in y[ for 
trace{n) = L(so)L(si) • • • and n' = (sq, qi){si, qi)--- is a path fragment in TS®Jl. 
Vice verse, every path fragment mTS ® ^ which starts in state (s, b{qQ, L{s))) 
arises from the combination of a path fragment in TS and a corresponding run in 
Note that the /-VDFA J?l does not affect the degree of trace function. That 
is, for each path n' in TS iS) ^ and its corresponding path n in TS, Traces{TS ® 
J{){tmce{n')) - Traces{TS){trace{n)). Then we have the following theorem. 

Theorem 13. (The verification of mv-regular safety property) For an mv-TS, TS, 
over AP, let P be an mv-regular safety property over AP such that L{^) = 
GPref{P) for an l-VDFA ^ with alphabet 2^^. The following statements are 
equivalent: 

(1) TS \= P; 

(2) Traces fin(TS) c L{^); 

(3) TS (8)^ 1= inv{(p), where cp = VqeQf(^)^- 

Proof: The equivalence of (1) and (2) has been shown. To the end, it suffices to 
prove (2) ^ (3) and (3) ^ (1). 

For the (3) => (1) part. If TS ^ P. Then there exists a path n = SqSiS2 ■ ■ ■ 
in TS with finite fragment n - Sq ■ ■ ■ s„ such that Traces{TS){o) ^ GPref(p) - 
L{Jl){o), where o = trace{n) = L{n) and o = trace{n}. Then there is an ac- 
cepting run qo--- qn+i in ^ for o. Accordingly, 6{qi, L(s/)) = qi+i for any z > 
and L{^)(o) = F{q„+i). Thus, Traces{TS){a) ^ F{q„+i). It follows that n' - 
(so, qi){si, qi)--- (Sn, qn+i) ■■■ is an infinite path in TS (8) with inv{(p){L' {n')) - 
inv{(p){{qi}{q2} ■ ■ ■) = Ai>iF{li) ^ F{qn+i)- Since Traces{TS){o) i F{q„+i) and 
Traces{TS®Jl){L'{n')) = Traces{TS){o), it follows thatTraces{TS0ji){L'{n')) i 
inv{(p){L'{n')). Hence, TS (g) inv{(p). 

For the (2) => (3) part. Assume that TS®J\ ^ inv{(p). Then there exists a path 
71' = iso,qi){si,q2)--- such that TS 8) :?l(L'(7z')) ^ inv{(p)iL' in'))_= A/>if(^/)- 
Then there exists n such that TS(8)J?l(L'(7z')) ^ F{q„+i) = L{^){L{n)), where n = 
So ■■ - Sn is a finite fragment of 7i = SqSi ■ ■ ■ in TS corresponding to n'. Further- 
more, 6{qi, L(S;)) = qi+i for all i > 0. It follows that qo--- qn+i is an accepting run 
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for the trace{so • ■ • s„) = L(so) ■ ■ • L{s„) = L{n) and Traces{TS){L{sQ)L{si) ■■■) - 
Traces{TS^:n){L'iso,q^)L'{s^,q2) f = L(^)(L(so) • • -LCs,)). Hence, 
Traces fin(TS)(L{n)) i L{^){L{n)). This shows that Traces fi„ (TS) ^ Li^). □ 

Remark 14. By Theorem [131 for a regular safety property P, to verify TS \= P, 
it suffices to check TS ® inv{(p), where ^ is an l-VDFA satisfying L{^) - 
GPref{P), and (p = \/ F{q)q. For the latter verification, we can use Algorithm 1 
presented in this paper. 



5. The verification of mv-a)-regular property 

Now we further study some methods of model checking of multi-valued cu- 
regular properties. We need the notion of Biichi automata in multi-valued logic. 



which can be found in Ref. [l25h . We present this notion with some minor changes. 



Definition 22. l-BUchi automaton (Z-VBA, in short) is a 5-tuple ^ = (Q, Z, 6, 1, F) 
which is the same as an l-VFA, the difference is the language accepted by yi, 
which is an mv-co -language Lf^(J?l) defined as follows for any infinite 

sequence w = o-[02 - ■ ■ ^ T.^', 

La,{Jl){w) = \/{I{qo) A A^>o'5(^?^•/C7,•+l,^?^•+l) A AiejP{lj)\li ^ Q for any i > 0, 
and / c N is an infinite subset of non-negative integers}. 

For an mv-cu-language / : L'" — > /, if there exists an l-VBA ^ such that 
/ = L^{^), then / is called an mv-co -regular language over E. 

In an Z-VBA ^ = (Q, L, 6, 1, f ), if 5 and I are crisp, i.e., the image set of 5 and 
I, denoted Im{6) and Im{I) respectively, is a subset of {0, 1}, i.e., 7m(6) Q {0, 1} 
and Im{I) c {0, 1}, then ^ is called simple. In this case, we also write Qo = {q & 
Q\Iiq) = 1} and 6iq,a) = [q e Q\6iq,a,p) = 1}. 

If is a simple l-VBA, then for any input w = O1O2 ■ ■ ■ & H", we have 

L^{J{){iv) = \/{AjejFili)\lo e Qo,^?; e 6{qj-i,Oj) for any ; > 1, and / c N is 
an infinite subset} = V{A/>o V;>,f ('?;)l'?o e Qo^qj e 6{qj-i,Oj) for any ; > 1}. 

We shall show that l-VBA is equivalent to a simple /-VBA in the following. 

Assume that ^ = (Q, L, 6,1, F) is an I- VBA. Let X = Im{I) U Im{6), which 
is finite subset of /, and write h the sublattice of I generated by X. Then h is 
finite as a set since I is a distributive lattice. Construct a simple l-VBA as, = 
(Q', E, 6', Qo,f '), where Q' = Q x h, and 6' : Q' x E ^ 2^' is defined as, 

6'{{q, r), o) = {{p, s)|s = r A 6{q, a, p) ^ for p G Q}; 
Qo = Hi' r)\r = I{q) + 0}, and F : Q' ^ I is, F'{q, r) = rAF{q) for any {q, r) G Q'. 

For the new /-VBA, for any input w = Oi02 - ■ ■ , 

LU^'){w) = W{Aj,jP{qj,rj)\{qo,ro) G Q',,{qj,rj) G 6'((^?;-i,ry_i),cTy) for 
any / > 1, and / c N is an infinite subset}. 
By a simple calculation, we can obtain that 
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L^{^'){w) = V{A;e/-f('?o) A 6{qo,Oi,qi) A • • • A b{qj-i,o A F{qj)\qi 6 Q 
for any i > and / c N is an infinite subset} = \/{I{qo) A Ai>o A 
/\je]^{qi)\qi £ Q for any z > 0, and / c N is an infinite subset of non-negative 
integers} = L^{!R){w). 

Therefore, L„(j?l) = L(^{^'), ^ and are equivalent. 

A simple /-VBA is called deterministic, if Qo = {qQ\ is a single set and 6 : 
Q X Z — > Q is deterministic. As in classical case, there is an /-VBA which is not 
equivalent to any deterministic /-VBA. 

In the case of deterministic /-VBA, the product of an mv-TS and a determin- 
istic /-VBA can also defined as before for the product of mv-TS and an /-VDFA, 
the technique for mv-regular safety properties can be roughly adopted. 

Theorem 15. (The verification of mv -co -regular property using persistence) Let 
TS be an mv-TS without terminal states over AP and let P be an mv-co-regular 
property over AP such that Li^,{9{) = -iP for a deterministic l-VBA ^ with the 
alphabet 2^^. Then the following statements are equivalent: 

(1) TS \= P; 

(2) TS®^\= pers{(p), where (p = V(j6Q ~'T{q)q. 

Proof For an infinite path SqSi ■ ■ ■ in TS, since is deterministic, qi+i = 6{qi, L{Si)) 
is unique for any i > 0. Then it follows that P{L{so)L{si) ■■■) = -iLf„(yi)(L(so)L(si) ■ ■ 
^(A,>oV;>/f ('?/)) = Vfeo A />,^f ('?/)• On the other hand, pers((p)(L(so,(?i)L(si,r?2) 
persi(p)i{qi}{q2} ■■■) = V^i A/>, = V/>o A;>/ ('?/)• This shows that P = 

pers{(p). Noting that Traces{TS){L{so) L(si) • • • ) = Traces{TS®^){L{so, qi)L{si, q2) ■ 
it follows that Tracec{TS) = Traces{TS<S)^). Hence, condition (1) and condition 
(2) are equivalent. □ 
Dual to the above theorem, we can solve TS \= P using an mv-dual persistence 
property. 

Theorem 16. (The verification of mv-co-regular property using dual-persistence) 
Let TS be an mv-TS without terminal states over AP and let P be an mv-co-regular 
property over AP which can be recognized by a deterministic l-VBA J\ with the 
alphabet 2^^. Then the following statements are equivalent: 

(1) TS \= P; 

(2) TS®J{\= dpers{(p), where (p = \J qeQT{q)q- 

Remark 17. Algorithm 2 and Algorithm 3 can be used for the verification TS \= P 
as presented in Theorem [T?] and Theorem [T6l 

Since there are mv-cu-regular properties which are not recognized by any de- 
terministic /-VBA, the above theorem does not apply to the verification of all mv- 
w-regular properties. To relax this restriction, we shall introduce another approach 
to the verification of mv-cu-regular properties. For this purpose, we first introduce 
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the notion of mv-deterministic Rabin automaton, which is called /-valued deter- 
ministic Rabin automaton here. 

Definition 23. An l-valued deterministic Rabin automaton (/-VDRA, in short) is 
a tuple J?l = (Q, L, 5, qo, T^), where Q is a finite set of states, Z an alphabet, 6 : 
Q X E — > Q the transition function, qo E. Q the starting state, and 9^ : 2^x2'^ ^ I. 

A run for o = AqAi ■ ■ ■ G JL" denotes an infinite sequence p = qoqi ■ ■ ■ for 
states in ^ such that d{qi,Ai) - qi+i for i > 0. The run p is accepting if there 
exists a pair {H, K) G 2^ x 2^ such that fiH, K) > and 

(3n > O.Vm > n.t/^n ^ H) A (Vn > 0.3m > n.^« g K). 

The accepted language of J?l is a mapping La,(J?l) : E*" — > /, for any o = 
AoAi • ■ ■ G E-, 

La,{^){o) - \/{'F'{H,K)\ there exists an accepting run p - qoqi ■ ■ ■ such that 
{3n > O.Vw > n.qm t H) A (Vn > 03m > n.q„i G K)}. 

Theorem 18. The class of mv-co-languages accepted by l-VDRAs is equal to the 
class of mv- CO -regular languages (those accepted by l-VBAs). 

We place the proof of this theorem at Appendix IV. 

Assume that suppif) - {(Hi, Xi), • • • , (H„„ K„,)} in the following. 

For an mv-transition system TS = (S, Acf, — I, AP, L) and an mv-VDRA = 
(Q, 2"*^, 5, qo, 9^), the product transition system TS ® J?l is defined as follows: 

TS^Jl = {S',Act,^',l',AP',L'), 
where S' = S X Q, — is the smallest relation defined by the rule: if (s, a, t, r) G^ 
(i.e., rj{s, a, t) = r) and 6{q, L(f )) = p, then ((s, q), a, {t, p), r) G^' (i.e., r]'((s, q), a, 
{t,p)) = r); l'{so,q) = 7(so) if 5(^?o, L(so)) = q; AP' = 2^ and U : S' ^ 2^^' is 
given by L'(s, ^) = {H G AP' = 2^1^ G H}. In the following, we write q = {H e 
AP' = 2Q\q G H}. 

Let Im{r)-{0} = {ri, ■ ■ ■ , r„} and T^r,] = {(H, KWiH, K) = tj] = {(Hy,i, Kj,^), 
{Hj,mj, Kj^mj)}- A related mv-(temporal-)proposition formula about ^ is, 
(p = V7=i Tj A {Vr=\[(On-%) A (DOX;,)]}- 

The corresponding mv-linear-time property over 2^^' is a mapping (i(J?l) : 
(2^^')'^ — > Z, which is defined as, 

d(yi)(AoAi • • • ) = \/{rj\3i.{l < i < MjUAoAr • • • h A (nOXy,))} = 

y{rj\3i.{l < i < mj).(3n > O.Vm > n.A„ ^ Hjj) A (Vn > 0.3m > n.A„, |= 
X..)} = V{r;|3z.(l < z < my).(3n > O.Vm > n.% ^ A„) A (Vn > 0.3m > 
n.Kj^i G A„,)}. 

Theorem 19. (Verification of mv -co -regular property) 

Let TS be an mv-transition system over AP without terminal states, and let P 
be an mv-co-regular property over AP such that L(^{M) = P for some mv-VDRA 
J?L Then the following statements are equivalent: 
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(1) TS\=P. 

(2) TS^M\=d{:H). 

Proof For a path n' - (sq, cji){si, qi)--- in TS (8) Jl, its projection to its first com- 
ponent 71 = SqSi • • • is a path in TS. Since J?l is deterministic, the corresponding 
from n' to 7i is a one-to-one and onto mapping from the set Paths{TS (8) to 
the set Paths{TS). To finish the proof, it suffices to show that the following two 
equations hold. 

(i) Traces{TS<^^){L'{n')) = Traces{TS){L{n)). 

(ii) d(J?l)(L'(7i')) = L,(J?l)(L(7i)). 

Let us prove the first equality. By the definition of TS ® we know 

Traces{TS (8) J?1)(L'(7t')) = VIAfeo^'^l there exists ttitti • • • e Ac^, 7ii = 
(so,i?;)(si,i?2)'" ^ (QT, ro = I{sq) andri'{{Si,q'.^^),ai+i,{Si+i,q'.^2)) = r^+i for 
any z > 0andL'(7i') = L'(7Ti)}. 

Noting that L'(7i') = L'{ni) if and only if t ^, =t for any i and 6(tj'o, L{so)) = 
qi. Since t qi =T if and only if qi = q'. by the definition of the oper- 
ation t, it follows that the run n' is unique defined by the project run n = 
SqS-i By the definition of TS <8) ^1, we know ro = I(so) = 7'(so,^i), and 
n+i = ri'{{Si,qi+i),ai+i,iSi+i,qi+2)) = r](s;,ai+i,s,+i). Hence, 

Traces{TS <S> ^){L'{n')) = V{Ai>o ^tl there exists aiaa •• • e Acf", 7ii = 
s[,s^ • • • £ S"", ro = 7(Sg) and r]{s'^, aj+i, s'^^^) = r/+i for any / > and L{n) = 
L(7Zi)} = Traces{TS){L{n)). 

Therefore, TracesiTS ^ :n){L'in')) = Traces{TS)mn)). 

For the second equation, we know that 

d{M){U{n')) = V{r,| there exists i, l<i< nij, L'{n') \= On^Hj^i A nOKy,,} = 
\/{r{Hj,i,Kj,i)\ L'{n') \= On^Hj,i A nOKj,i} = \/{r{H,K)\L'{n')' \= On^H A 
nOK}. 

Noting that L'(7t') =T qi T qi"- and 6{qo,L{so)) = qi- Then L'(7i') |= 
OD-iH A nOK if and only if T T ■ • • N On-'H and T «?i T • • • 1= ^OK 
if and only if (3n > O.Vm > n. T |= -.H and Vn > 0.3m > n. T «?m 1= if 
and only if (3n > O.Vm > n.ty^ ^ H and Vn > 0.3m > n.qm e -K) if and only if 
the run p = q^qi ■ ■ ■ is an accepting run for the trace L{n) = L{so)L{si) ■ ■ ■ . 

Hence, d(yi)(L'(7z')) = \/ {Til, K)\L' {n') \= On^HAnOK} = \/ {r{H, K)\{3n > 
O.Vm > n.qm i H) A (Vn > 0.3m > n.q„i e K) A {6{qQ,L{so)) - qiA6{qi,L{si)) = 
A • • • )} - Km{L{so)L{si) ■■■) = KiJimn)). 

Therefore, d{M){L'{n')) = L„(J?l)(L(7i)). □ 

The verification of TS (2) ^1 |= d{^) can also be reduced to the classical model 
checking. Since d(:?l)(L'(7z')) = \/ {'FiH,K)\Uin') \= <^n^HAn<^K}. It follows 
that TS0:n\= d{Jl) iff, for any m G (TS (8) Jl)„r \= On^H A nOK for those 
(H, K) such that m < TiH, K). Then the verification ofTS^Jl\= d{Jl) reduces 
to finite times of classical model checking. 
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As is well known {TS (8) J^l)^ \= On^H A nOK iff {s,qs) \= OU, where 
(js = 5{qo,L{s)) for some qo 6 I,,,, and U is the union of all accepting BSCCs 
in the graph of (TS (8) Jl)m. A BSCC T in (TS (8 is accepting if it fulfills 
the acceptance condition 9^. More precisely, T is accepting iff there exists some 
(H, K) e Tm such that 

T n (S X H) = and T n (S X ^ 0. 
Stated in words, there is no state (s, q) G T such that q e H and for some state 
{t, q') eTit holds that q e K. 

This result suggests determining the BSCCs in the product transition system 
(TS <8) ^),n to check which BSCC is accepting (i.e. determine U). This can be 
performed by a standard graph analysis. To check whether a BSCC is accepting 
amounts to check all (H, K) G f,„. The overall complexity of this procedure is 

0{\}I{1)\ X poly{size{TS),size{Ji)) 
where size{TS) = \S\ + \supp{rj)\, and size{^) = \Q\ + \supp{6)\. 

The related algorithm is presented in Algorithm 4. Remark |9] is also applied 
to Algorithm 4. 



Algorithm 4: (Algorithm for the multi-valued model checking of an mv-cu- 
regular property) 

Input: An mv-transition system TS and an mv-cu-regular property P which can 
be accepted by an l-VDRA 

Output: return true if TS |= P. Otherwise, return a maximal element x plus a 
counterexample for P^. 

Set A := }I{1) (*The initial A is the set of join-irreducible elements of /*) 

While (A ^ 0) do 

X < — the maximal element of A (*x is one of the maximal element of A*) 
Tx = [{H, K)\r{{H, K)) > x} {*r, is the x-cut of r) 

if (TS (8 \= A^H,K)eT. O^^H A nOK, 
then 

C := {y eA\y < x} 
A := A-C 
else 

Return x plus a counterexample for (TS <8) ^ OD-iH A n<)K for some 
{H, K) e Tx (*if (TS Jl)x ^ k(H,K)en 0°^-fJ A nOK, then there is a 

counterexample for (TS ® JC)x OD-iH A nOK for some (H, K) G 'T^*) 
fi 
od 

Return true 



However, as in classical model checking, we have the following corollary. 
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Corollary 20. The mv-model checking problem for mv -transition systems is PSPACE- 
complete. 

6. Truth- valued degree of multi- valued model-checking 

Another view and a more general picture of mv-model checking is focused on 
the membership degree of mv-model checking as studied in Ref.dSO. Let us recall 
its formal definition as follows. 

Definition 24. Let P be an mv-linear-time property, and TS an mv-TS. Then the 
multi-valued model checking function is defined as, 

IMC{TS,P) = Haeii^pricf G TracesiTS) -^oeP), 

i.e., 

IMC{TS,P) = /\{Traces{TS){o) P{o)\o e (2^^)^], 
where — > is the implication operator in mv-logic. 

Informally, the possibility of an mv-TS satisfying an mv-linear-time property 
P, i.e., IMC{TS, P), is the inclusion degree of Traces{TS) into P as two mv-linear- 
time properties. In the definition of IMC{TS,P), the choice of the implication 
operator — > is in its first importance. As we said in the end of Section 2, there 
are two methods to determine the implication operator. First, it can be defined by 
primitive connectives in mv-logic system. For exarnple, we can use a — > & = -ifl V 
b to define the implication operator. In fact, in Ref.||8|,|9|], the implication operator 
is chosen in this form. They had some nice algebraic properties. However, this 
definition can not grasp the essential of the function IMC{TS, P) as indicating the 
inclusion degree of Traces{TS) into P as two trace functions. In fact, intuitively, if 
TS \= P, we should have IMC{TS,P) = 1. But if we choose a ^ b = -la W b, v/e 
would not get IMC{TS, P) = 1 even if TS \= P. For example, in 3-valued logic, I is 
I3 as shown in Fig. [H if we choose Traces{TS) = P = j, where P = 5 means that 
P{o) = \ for any o G (2^^)^', then TS ^ P. However, since \ ^\ = ^\'^ \ = \, 
we would get IMC{TS,P) = \ but not IMC{TS,P) = 1. The second choice of 
implication operator is chosen — > as a primitive connective in mv-logic which 
satisfies the condition = ! whenever a < b as we adopt in the paper. In 

this case, we need that I is also a residual lattice. As said in Section 2, this is not 
the restricted case. In fact, any finite De Morgan algebra is a residual lattice with 
implication operator defined as, 

a ^b = \J\c\a A c < 

For example, if / is in linear order, then a^b = lifa<b and a ^ b = b if 
a > b; if lis a Boolean algebra, then a — > = -ifl V as in the first case. 
In particular, if I = 2, then 
MC{TS,P) = IMC{TS,P). 

The following proposition is simple, we present it here without proof. 
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Proposition 21. Let TSi, TS2 be two mv-TS, Pi, P2 are two mv-linear-time prop- 
erties. Then 



(1) IMC{TS,P) = 1 if and only ifTS \= P. 

(2) lMC{TS,Pi n P2) = IMCiTS.Pi) n IMCiTS^Pi). 

(3) lMC{TS,Pi) V lMCiTS,P2) < lMC{TS,PiU P2.). 

(4) lMC{TSi + TS2,P) = lMCiTSi,P) A IMC{TS2,P), where, for TSi = 
{Si,Act,^iJi,Li){i = 1,2), TSi + TS2 is {S,Act,^,I,L). In TSi + TS2, S = 
Si X {1} U S2 X {2}, 



and L{{s,i)) - Li(s){i = 1,2). 

We give an approach to calculate IMC{TS,P). Since IMC{TS,P) = \/{m e 
}I{l)\m < IMC{TS,P)}, to calculate IMC{TS,P), it suffices to decide whether 
IMC{TS, P) > m for m e /. Some analysis is presented as follows. 

For me I, to decide IMC{TS, P)>m. Observing that 

lMC{TS,P)>m 

iff 

MTmces{TS){o) P{o)\o e (2'^^)'^} > m, 
iff 

Va(2^P)'", m < Traces{TS){o) P{o), 
iff 

\/oi2'^'"f', m A TracesiTS)ia) < P(ct). 

For TS = {S,Act,^,I,AP,L) and w G L, let w A TS = {S,Act,^,I A 
m,AP,L), where 7 A m : Q ^ / is defined as, I A m{q) = I{q) A m for any 
q e Q. Then we have 

Traces{m ATS) = Traces{TS) A m. 
Hence, we have the following observation: 
Va(2^^)'", m < Traces{TS){a) P{a) 
iff 

Traces{m A TS) c P 
iff 

mATS\=P. 

Thus, IMC{TS,P) > m iff m A TS \= P. We have presented algorithms to 
decide m A TS |= P in Section 4 and Section 5, then it is decidable whether 
IMC{TS,P) > m holds for any m e JI{1). 



r/((s,z),a, {t,f)) = 



r]i{s,a, t), 
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The related algorithm for the calculating of IMC{TS, P) is presented as fol- 
lows. 



Algorithm 5: (Algorithm for calculating IMC{TS, P)) 

Input: An mv-transition system TS and an mv-linear-time property P. 

Output: the value of IMC{TS,P). 

Set A := }I{1) (*The initial A is the set of join-irreducible elements of I*) 
While (A ^ 0) do 

X i — the maximal element of A {*x is one of the maximal element of A*) 
if X A rS 1= P, (*check if x ATS \= P (using Algorithm 1-4) is satisfied *) 
then 

C := {y eA\y < x} 
B:=BUC 
A := A-C 
else 

A := A - {x} 
fi 
od 

Return "IMC(TS,P) = " \/ B 



7. Illustrative examples and case study 

Up to now, we have presented the theoretical part of model-checking of linear- 
time properties in multi-valued logic. In this section, we give some examples to 
illustrate the methods of this article. First, we give an example to illustrate the 
constructions of this article. Then a case study is given. 

7.1. An example 

We now give an example to illustrate the construction of this article. Note that 
this is a demonstrative rather than a case study aimed at showing the scalability of 
our approach or the quality of the engineering. 

Consider the example of mv-transition system (in fact, mv-Kripke structure, 
which can be considered as an mv-transition system with only one internal action 
t) of the abstracted module Button introduced in Ref.|@, [Ullin 3- valued logic, 
which is presented in Fig. |2l where I is the Z3 in Fig. [T] This transition system 
has five states, 80,81,82,83,84, and the transition function is classical, i.e., with 
values in Boolean algebra B2 = {0, 1}^ here 0=F, 1=T. For convenience, we only 
give those transitions with non-zero membership values (as labels of the edge of 
the graph) in the following graph representations of mv-transition systems and 
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I-VDFA. For simplicity, we only write those values of the labels of the edges 
(corresponding to mv-transition) which is M. If there is no label of the edges in 
the mv-transition systems, its value is T. The labeling function of mv-transition 
system is multi-valued, and there is only one internal action t, the atomic propo- 
sitions set is AP = {button, pressed, reset}. 

First, we transform this transition into its equivalent mv-TS with ordinary la- 
beling function as we have done in Appendix I, which is presented in Fig. [3l In 
Fig. Ill fc,p and r are short for the atomic propositions "button", "pressed", and 
"reset", respectively. 

An mv-linear-time property P : (2'^^)'" — > I is defined by, for any AqAi ■ ■ ■ e 



P(AoAi---) = 



' T, if Aq = 0, Ai = {b} and A, {b, p, r} for any i > 1 
M, if Ao = 0, Ai = {b} and A, = {b, p, r} for some i > 1 
F, otherwise. 



Then the good prefixes of P, GPref{P) : (2^^)* I, is 



GPref{P){A^---A,) = 



( T, iffc = OorA: = 1 and Ai = 
T, ifk> 2, Ai = 0, A2 = {b} and A, ^ {b, p, r] 
for any i < k 

M, ifk > 2 and Ai = 0, A2 = {b} and Ai = [b,p,r} 

for some i < k 
F, otherwise. 



It can be readily verified that /\{GPref{P){6)\6 G Pref{o)} = P{o) for any 
o G (2'^^)'", so P is an mv-safety property. 

GPref(P) is regular since it can be recognized by an /-VDFA J?l as presented in 
Fig. m In the mv-final state f is defined as, F{qo) = F{qi) = F{q2) = Fiq^) =T, 
and F{q4) =M, as shown in Fig. |4l 



So 
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Figure 2: State machine of the abstracted module Button in Ref.fl 
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Figure 3: Equivalent state machine TS in Fig. |2]with ordinary labeling function 
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Figure 4: An /-VDFA ^ which can recognize GPref{P) 
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Figure 5: The product transition system TS®!J{ 



Then the product transition system TS (8) ^1 is presented in Fig. [51 

In the product transition system TS JK, the labeling function is defined by 
h'{s,c\) = {q} for any state {s,q), and (p = qi^ qz'^ Mi^4. It can be observed 
i\\dXL'{Reach{{TS®^)M)) = {qi,q2,q3,qi},L'{Reach{{TS ® :R)t)) = {qi,q2,q3}, 
<Pm = ^1 V ^2 V V and (pT = qi^ qi"^ q^- It is easily checked that, for any 
a =M or T, for any {s,q) G Reach{{TS <S) ^)a), L'{s,q) = {q} \= (pa- By Theorem 
[H it follows that TS<^Jl\^ mv{(p) and thus TS \= P. 

However, if we take P' = PA M, that is, F(a) = P{o)A M for any o e (2^^)'^, 
P' is also an mv-safety property. If we change F in the above ^ into F', where 
F'{q) =M for any state q, and remain the other parts unchanged, then we obtain 
a new l-VDFA yi' such that L(yi') = GPref{P'). In this case, the proposition 
formula cp changes into cp' =MqoV Mq^V Mqi^ Mt^sV Mq^ in TS (2) ^1'. Then 
TSm \= i^'v{(p'i^ but TSj ^ inv{(pj). Since (pj = ± and {si,q3) e Reach{{TS (8) 
<^')t) but L'{si,q3) = {(js) -L = <Pj, which is a counterexample for the mv- 
model checking TS \= P'. 

On the other hand, it is readily verified that MATS |= P' but TS ^ P'. Hence 
lMCiTS,P')=M (by Algorithm O. 

To apply Algorithm 4, we modify the Z-VDFA in Fig. 4 to make it an Z-VDRA 
S, where T : 2^x2^ I is defined as, T{^, [qi, qi, q^]) = T, Tilq^}, [qi, qi, q^]) =M, 
and ± in other cases. Then T[t] = (0, {^?l,^?2,^?4}) = {{H^^Ki)}, T[m] = {{^4}, 
{(ji,(l2,q3}) = {iH2,K2)}. The corresponding mv-cu-regular property P" = La}{!B) 
is defined as follows, for o = AqAi ■ ■ ■ , 
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P"{o) = 



( T, if Ao = 0, Ai = {b} and A2 = {h, p, r} 
T, if Ao = 0, Ai = {&},and there exists k>l such that Ay ^ {&, p, r} 

for 2 < ; < and Ajt+i = p, r] for any z < k 
M, if Ao = 0, Ai = [h] and A, = p, r} for any z > 2 
F, otherwise. 



The structure of the product TS ®Bh the same as those in Fig. 5 except the 
labeling function. 

Using Algorithm 4, it is easily checked that (TS ® B)t |= OD-iHi A □<>i<^i but 
(TS (8> S)m 0n-iH2 A 00X2, which is a counterexample for the model checking 
TS \= P". 

In fact, using Algorithm 5, we have IMC{TS, P") =M. 
7.2. Ca^e j'fMJj 

hi this section, we study how to verify a cache coherence protocol with the 
above methods. Usually, in many distributed file systems, servers store files and 
clients store local copies of these files in their caches. Clients communicate with 
servers by exchanging messages and data (e.g., files) and clients do not communi- 
cate with each other. Moreover, each file is associated with exactly one authorized 
server. There are two ways to ensure cache coherence. One is the client asks the 
server whether its copy is valid and the other is the server tells the client when the 
client's copy is no longer valid. Therefore, in a distributed system using a well 
cache coherence protocol, if a client believes that a cached file is valid, then the 
server that is the authority on the file believes the client's copy is valid. 



In this case study, we verify AFS2 ( II20II ') that is a cache coherence protocol, 
which works as follows. 

In the server, the initial state is Sq at which the server believes the file is in- 
valid. When the server receives the message validate from the client and the file 
is valid, the server will transfer from Sq to Si at which the server believes the file 
is valid, otherwise if the file is invalid, the server will still stay at Sq. Furthermore, 
the server will transfer from So to Si when it receives the message fetch from the 
client. In addition, the server will transfer from Si to Sq when it receives the mes- 
sage update from the client or the message failure, which respectively means that 
the client update the file copy and the server need to notify the other clients having 
the copy to update accordingly and there is something wrong in the communica- 
tions between the client and server and they should check again the coherence of 
the file. It is represented in Fig. 6. 

For the client, its initial states set are composed of Sq, Si and $2. The state So 
(si) represents that the client has no file copy in its cache and believes that the file 
is valid (invalid). The state S2 describes that the client has a file copy and believes 
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Figure 6: The transition system of the server 



it is invalid. Therefore, if the client starts as state S2, is will send the message va\ 
to ask the server whether or not the file copy in its cache is valid; while if the client 
starts as state Sq or Si, it will send the message fetch to get the valid file directly 
from the server. In addition, the state S3 means that the client has a file copy and 
believes the file copy is valid. When the client receives the message inval from 
the server, it will transfer from S3 (S2) to Sq or Si, which means that the server 
notifies the client that the copy is no longer valid and the client should discard the 
copy in its cache (As there is no file copy, so the validity of the file is unknown, 
i.e., the variable belief equals either true or false). When the client receives the 
message failure from the system, it will transfer from S3 to S2, which means there 
is something wrong in the communications between the client and server and they 
should check again the coherence of the file. The transition system of a client is 
represented in Fig.7. 

In this case study, the pair of states {sq, Si} of the client (indicated by dashed 
line in Fig.7) has a symmetric relation and this can be abstracted. This corresponds 
to the value of the variable belief being irrelevant when the variable file is f . Thus 
we can model the transition relation of the client by a 3 -valued variable as shown 
in Fig.8. When this model is composed with the rest of the AFS2 model, we get 
a 3 -valued model-checking which can not be directly verified using a classical 
model-checking. 

In addition, because it might happen that the server sends an inval message to 
some client that believes that its copy is valid. During the transmission, a property 
may hold since the client believes that its copy is valid while the server does not. 
Therefore, this transmission delay must be taken into account. We model the delay 
with the shared variable timei. 

For the completeness, we provide the models of the (abstract) client and server 
of AFS2 module as follows, where the model client using 3-valued variable is 
denoted by MODULE Abstract client, its state machine model is shown in Fig. 8. 
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Figure 7: The transition system of the client 
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Figure 8: The abstracted transition system of the client 
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MODULE server (inputl, failurel, timel, input2, failure2, time2) 
VAR 

valid-f ilel , valid-f ile2 : boolean; 
outl, out2 : {0, val, inval}; 

belief 1, belief 2 : { f ileT_belief T, f ileT_belief F } ; 
ASSIGN 

next (valid-f ilel ) := valid-f ilel ; 
next (valid-f ile2 ) := valid-f ile2 , • 
init (belief 1) := f ileT_belief F; 
next (belief 1 ) := 

case 

failurel : f ileT_belief F; 

(beliefl = f ileT_belief F) & ((inputl = fetch) | ((inputl = 

validate) & valid-f ilel )): fileT_beliefT; 

(beliefl = f ileT_belief F) & ( (inputl = validate) & 

! valid-f ilel) : f ileT_belief F; 

(beliefl = f ileT_belief T) & ( (input2 = update) ) : 

f ileT_beliefF; 

TRUE : beliefl ; 
esac; 
init (outl) := 0; 
next (out 1 ) : = 
case 

failurel : 0; 

(beliefl = f ileT_belief F) & ( (inputl = fetch) | ( (inputl = 

validate) & valid-f ilel )) : val; 
(beliefl = f ileT_beliefF) & ( (inputl = validate) & 

!valid-filel): inval; 
(beliefl = f ileT_belief T) & ( (input2 = update) ) : inval; 
TRUE : outl ; 
esac; 

next (timel) := timel is a global variable 

and init (timel) :=FALSE; 

case 

failurel : FALSE; 

(beliefl = f ileT_belief T) & ( (input2 = update) ) : FALSE; 
(beliefl = f ileT_belief F) & ( (inputl = validate) & 

! valid-f ilel) : FALSE; 

TRUE : timel ; 
esac; 
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init (belief 2) := f ileT_belief F; 

... the statements on belief2, out2 and time2 are similar 

to that on beliefl, outl and timel 

FAIRNESS 
running 



MODULE client (input, failure, time) 
VAR 

out: {0, fetch, validate, update}; 

belief: { f ileT_belief T, f ileT_belief F, f ileF_belief T, 

f ileF_beliefF } ; 

ASSIGN 

init (belief ):={ fileF_beliefT, f ileF_belief F, f ileT_belief F } ; 
next (belief) : = 
case 

( (belief =f ileF_belief T) | (belief =f ileF_belief F) ) 

& (input = val) : f ileT_belief T; 
(belief = f ileT_belief F) & (input = val) : 

f ileT_beliefT; 
(belief = f ileT_belief F) & (input = inval) : 

f ileF_beliefF; 
(belief = f ileT_belief T) & (input = inval) : 

{ f ileF_beliefT, f ileF_belief F } ; 
(belief = f ileT_belief T) & failure : f ileT_belief F; 
TRUE : belief ; 
esac; 
init (out) := 0; 
next (out ) : = 
case 

( (belief = f ileF_belief T) | (belief = f ileF_belief F) ) 

& (input = 0): {fetch, 0}; 

(belief = f ileT_belief F) & (input = 0) : 

{validate, } ; 

(belief = f ileT_belief T) & 

( (input = inval ) | failure) : 0; 

(belief = f ileT_belief T) & (input != inval): update; 

TRUE : out ; 
esac; 

next (time) := time is a global variable 

case 
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( (belief = f ileF_belief T) | (belief = f ileF_belief F) ) 

& ( input = val) : TRUE; 

(belief = f ileT_belief F) & ( (input= val) | 

(input= inval) ) : TRUE; 

(belief = f ileT_belief T) 

& (failure! (input = inval)): TRUE; 

TRUE : time; 
esac; 

FAIRNESS 
running 



MODULE Abstracted client (input, failure, time) 
VAR 

out: {0, fetch, validate, update}; 

belief: { f ileT_belief T, f ileT_belief F, f ileF_beliefM} ; 
ASSIGN 

init (belief) : = { f ileF_beliefM, f ileT_belief F } ; 
next (belief) : = 



case 

(belief 

(belief 

(belief 

(belief 

(belief 
TRUE 
esac; 

init (out ) : = ; 

next (out ) : = 
case 

(belief = 
(belief = 
(belief = 
(belief = 



f ileF_beliefM) 

f ileT_beliefF) 

f ileT_beliefF) 

f ileT_beliefT) 

f ileT_beliefT) 
belief ; 



f ileF_beliefM) 
f ileT_beliefF) 
f ileT_belief T) 
f ileT_beliefT) 



(input = val) : 

f ileT_beliefT; 
(input = val) : 

f ileT_belief T; 
(input = inval) : 

f ileF_beliefM; 
(input = inval) : 

f ileF_beliefM; 
failure : f ileT_belief F; 



[input 
[input 
[input 



I = 



0) : { fetch, } ; 
0) : {validate, } ; 
inval) : update; 
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( (input = inval ) | failure) : 0; 

TRUE : out ; 
esac; 

next (time) := timel is a global variable 

and init (timel ):= FALSE; 

case 

(belief = f ileF_beliefM) & (input= val) : TRUE; 
(belief = f ileT_belief F ) 

& ( (input= val) | ( input= inval)) :TRUE; 
(belief = f ileT_belief T) 

& (failure | (input = inval) ) : TRUE; 

TRUE : time; 
esac; 

FAIRNESS 
running 



The linear-time properties of AFS2 system we verified appeared as follows. 



PI: If a client believes that a cached file is valid, then the server that is the 
authority on the file believes the client's copy is valid. 

This property can be represented by a linear-temporal logic formulae as fol- 
lows. 

For one client: 

\3{Clienti. belief A Clienti.file {server.beliefi A Server. fiki) V -^timei) A 
{Server.outi = val — > Server.beliefi A Sever. fiUi). 
For N clients: 

n{/\f^i{Clienti.belief AClienti.file — > {server. belie fiAServer.filei)y-^timei) A 
{Server.outi - 'vol Server.beliefi A Sever, filei)). 

P2: if a server believes that the client's copy is valid, then the client believes 
the cached file on the client is valid. 

This property can be written as a linear-temporal logic formulae as follows. 

For one client: 

\3{Server. belief A Server. filei {{Client i. belief A Clienti.file) V -itimei) A 
{Server.outi - {validate A valid - file) V fetch Server.beliefi A Sever. fiilei). 
For N clients: 

□ ( AI^i {Server. belie fiAServer.filei {{Client i . belie f AClienti. file) V-itimei) A 
{Server.outi = {validate A valid - file) V fetch Server.beliefi A Sever. filei)). 



The results are summarized in Fig.9, Table 1 and Table 2. The property PI 
is correct, while the property P2 is wrong and a counterexample is given. There 



38 



are several linear-temporal logic symbolic model checking tools as explained in 
Ref.[3i]. The tool NuSMV 2.5.4 running on Pentium (R) Dual-Core E5800 with 
3.20GHz processor and 2.00GB RAM, under ubuntu-1 1.04-desktop-i386, is used 
for the verification in this case study. 

In this case study, we use classical model-checking two times to verify model- 
checking of linear-time property in mv-logic. On the other hand, in classical 
model-checking of the original problem, the state space of the model is more 
complex than the abstracted model represented by mv-logic (as shown in Table 
1 and Table 2). The overall time complexity of mv-logic is smaller than that in 
classical case as shown in Fig. 9, Table 1 and Table 2. 



8. Conclusions 



Multi-valued model checking is a multi-valued extension to the classical model 
checking. Both the model of the system and the specification take values over a 
de Morgan algebra. Such an extension enhances the expressive power of tempo- 
ral logic and allows reasoning under uncertainty. Some of the applications that 
can take advantage of the multi- valued model checking are abstract techniques, 
reasoning about conflicting viewpoints and temporal logic query checking. In 
this paper, we studied several important multi-valued linear-time properties and 
the multi-valued model checking corresponding to them. Concretely, we intro- 
duced the notions of safety property, invariant property, liveness, persistence and 
dual-persistence property in multi-valued logic system. Since the law of non- 
contradiction (i.e., A -ifl = 0) and the law of excluded-middle (i.e., aV -^a = 1) 
do not hold in multi-valued logic, the linear-time properties introduced in this pa- 
per have the new forms compared to those in classical logic. For example, safety 
property in mv-logic is defined using good prefixes instead of bad prefixes. In 
which, model checking of multi-valued invariant property and persistence prop- 
erty can be reduced to their classical counterparts, the related algorithms were also 
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Figure 9: The running times of the multi-valued and classical model checking for AFS2 
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Table 1: The results of the classical model checking for AFS2 
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BDD Node 
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Table 2: The results of the multi-valued model checking for AFS2 
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presented. Furthermore, we introduced lattice- valued finite automata including 
Biichi and Rabin automata. With these notions, we gave the verification methods 
of multi-valued regular safety properties and multi-valued a;-regular properties. 
Since the law of non-contradiction and the law of excluded middle do not hold 
in multi-valued logic, the verification methods gave here were direct and not the 
direct extension of classical methods, which were also the complementary to the 
classical verification methods. A new form of multi-valued model checking with 
membership degree (compared to that in fs*]) was also introduced. The related 
verification algorithms were presented. 

There were many work on multi-valued model checking, for example, 
EIMEIQ. As we said in the introduction part, we adopted a direct method to 
model checking of multi- valued linear-time properties instead of those existing in- 
directly methods. Precisely, the existing methods of mv-model checking still used 
the classical method with some minor correction. That is, instead of checking of 
TS \= P for an mv-linear time property P using the inclusion of the trace function 
Traces{TS) c P, the existing method only checked the membership degree of the 
language Traces{TS) Pi L(^-,p), where '^-fP mv-Biichi automaton such that 
L(yi-,p) = -iP. However, as said in Ref. [2], the equivalences and preorders be- 
tween transitions systems that "corresponding" to linear temporal logic are based 
on traces inclusion and equality. In this paper, we adopted the multi-valued model 
checking TS |= P by using directly the inclusion relation Traces{TS) Q P. In gen- 
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eral, we used implication connective as a primitive connective in mv-logic which 
satisfies a < & iff a — > & = 1 to define the membership degree of the inclusion of 
Traces{TS) into P. We give further comments on the comparison of our method 
to the existing approaches as follows. 

Since we chose — > as a primitive connective in mv-logic, classical logic could 
not embedded into mv-logic in a unique way as done in llllll . For example, a ^ b 
and -la V b are equivalent in classical logic, but not in mv-logic. This is one 
of the main difference of our method to those existing approaches. Since this 
difference, we verify that the system model TS satisfies the specified linear-time 
property P, i.e., TS \= P directly using the inclusion Traces{TS) Q P instead of 
L(yi) n L(yi^p) = 0, where J?l-,p is a multi-valued Biichi automaton such that 
L(yi-,p) = -iP. Regarding expressiveness, we mainly studied the model-checking 
of linear-time properties in mv-logic systems, compared with the work [8], we 
use more general lattices instead of finite total order lattice in [8] to represent the 
truth values in mv-logic. All the properties studied in [8] can be tackled using our 
method, and another different view can be given. For the multi-valued model of 
CTL, etc, as done in ivilS-il], our method could be also applied which forms one 
of the future work. 

Therefore, the approach proposed in this paper can be thought of as a com- 
plementary to those mentioned multi-valued model checking. The examples and 
case study show the validity and performance of the method posed in this arti- 
cle. As one of the future work, we shall give some further comparison of our 
method with those available methods in multi-valued model checking and give 
some experiments. Another direction is to extend the method used in this paper to 
multi- valued LTL or CTL. 
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Appendix I: The equivalent definition of multi- valued 
transition system 



In an mv-TS, TS = {S,Act, -^,I,AP, L), if the labeling function is L : S — > Z'^^ 
or L : S X AP — > I, then we have another form of mv-TS. The later is used in Ref. 
10] (which is called mv-Kripke structure). Where L{s,A) represents the truth- 
value of the atomic proposition A at state s. 

In this case, the trace function of TS needs to redefine as follows. 

Since TS is finite, we can assume that Im{L) = {di, ■ ■ ■ ,dt}. For any d G Im{L), 
define : S ^ 1^^ as follows, 

U{s) = {A^AV\L{s,A)>d\. 

Then Traces{TS) : (2'^^)^'' — > I is defined as in the following manner. Let 
AqAi ■ ■ ■ G (2'^^)'", p = So«iSitt2 ■ • ■ a run of TS with states sequence n = SqSi • ■ • , 
such that 7](s„«,+i,s,+i) = rj+i and L^^i^.^{Si) = A,- for any i > 0, where dcj,(j) is an 
element of Jm(L) with (p{i) G {1, ■ ■ ■ ,t}. Then, 

Traces{TS){AoAi ■■■) = Vl^o A d^(o) A ri A A ■ • ■ |p = SoaiSia2 ■ ■ ■ is a 
run of TS with states sequence n = SqSi ■ ■ ■ , such that T](Sj,a:;+i,s,+i) = and 
Ld^,;,(sO = A, forany z > 0}. 

We construct a new mv-TS from TS with ordinary labeling function which has 
the same traces function as the original mv-TS, TS. 

Let S' = Sx{l, ■ ■ ■ ,t}. The initial distribution J' : S' — > Z is defined by /'(s, z) = 
I{s)Adi, — S'xArfxS'xIis defined by 7]' ((s,z),«, (s',z')) = di/\r]{s,a,s')/\di>, 
and L' : S' ^ 2^^ is defined by L'(s,z) = Lrf.(s) = {A G AP|L(s,A) > rf,}. Then 
we have a new mv-TS, TS' = {S',Act, ,Y ,AP,L'). Let us calculate the traces 
function of TS' in the sequel. 

ForAoAi--- G {l^^Y, 

Traces{TS'){AQAi • ■ • ) = V{ A^o ^/l there exists a run p = Sq«iSj«2 ■ ■ ■ with 
states sequence n' = s^s^ ■ ■ ■ , such that r](s^,a;;+i,sj^^) = r'.^^ and L'(sp = A, for 
any z > 0}. 

For a run p = SgttiS^tti ■ • ■ in TS', let s'. = {Si,(f){i)), d^j) G Im{L), then from 
the definition of F, — and L', we know that 

r'^ = r{so,(p{0)) = I{so) A d^(o) = ro A d,f,(o), where ro = I(so). 
= ri'{{Si-i,(p{i - l)),ai,{Si, (p(i))) = A r](s,_i,a,vsO A = A 
J'; A for z > 1. 

Thus, A,>o r'-=roA d^^o) A n A d^i) A ■ ■ ■ and A,- = L'{s'^ = L^(i){Si), which 
is the same as those in the definition of Traces{TS){AoAi ■ ■ ■). 

Hence, Traces{TS'){AoA-i ■ ■ ■) = Traces{TS){AoAi ■■■) for any AqAi • • • g 
(2-^^)^. It follows that TracesiTS') = Traces{TS). TS' is equivalent to TS in the 
sense of trace function. □ 
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Appendix II: The proof of Proposition |5l 

(1) is obvious. 

(2) The inclusion Closure{Pi) U Closure{P2) Q Closure{Pi U P2) is obvi- 
ous. Conversely, let X = Jm(Pi) U Im{P2), and let U be the sublattice gener- 



sets Im{Closure{Pi)), Im{Closure{P2)) and Im{Closure{Pi U P2)) are subsets of 
/i, to show Closure{Pi U P2) Q Closure{Pi) U Closure{P2), it suffices to show 
that, for any m G }I{k) and a e (2^^)^^, m < Closure{P-i U P2)(c7) implies that 
m < Closure{Pi){o) orm < Closure{P2){o). By the definition of Closure operator, 
m < Closure{Pi UP2)(cr) implies that, for any 6 G Pref{o), there exists t g (2^P)<^ 
such that m < Pi(0t) V P2(0t), it follows that m < Pi(0t) or m < P2(0t). Let 
Prefi = {6 e Pref{o)\m < Pi(0t) for some t g (2^^)^^'}, and Prf/2 = {0 G 
Pre/(cT)|m < P2(0t) for some t g (2'^^)'^'}. Then Prefi U Pre/2 = Pref{a). Since 
Pref{0) is infinite as a set, it follows that Prefi or Pre/2 is infinite. Without loss 
of generality, let us assume that Prefi is infinite. Then, for any 6 G Pref{o), since 
Prefi is infinite, there is di G Pre/i such that G Pref{Oi), and m < Pi(0iTi) for 
some Ti G (2^^^)^". In this case, there exists t G (2'^^)'^ such that OiZi = Oz and 
m < Pi(0iTi) = Pi(0t). Hence, by the definition of Closure{Pi), it follows that 
m < Closure{Pi){o). 

(3) By condition (1), we have Closure{P) Q Closure{Closure{P)). Conversely, 
for any o G (2"^^)^, we have 

Closure{Closure{P)){o) = AIVtsci^O'" Closure{P){dT)\d G Pre/(cT)}. 

On the other hand, for Closure{P){dT), since 6 G Prefidz), we have 

ClosureiP)ieT) = M\/ ,,e(2^py.Pi0iTi)\ei e Pref{a)} < \/,,e(2^py.P{eTi). 

Hence,we have 

Closure{Closure{P)){o) = AlVTeca^O"' C/osMre(P)(0T)|0 G Pref{o)] < /\{\J ^^ii^py 
V.,e(2-p).P(0Ti)|0 G Pref{o)\ = A{y,^ei2^P).P{dTi)\d G Pref {o)} = Closure{P){o). 
This shows that Closure{Closure{P)) Q Closure{P). 

Therefore, Closure{Closure{P)) = Closure{P). □ 

Appendix III: The proof of Proposition O 

"If" part: It suffices to prove that AeePref{a) GPref{P){0) < P{o) for any o G 
(2AP)a, Otherwise, there exists o G (2^^)^ such that KeePref(a) GPref (P)(0) ^ 
P((t). Noting that P(c7) = Closure{P){o) = A 06Pr./(.T) Vtsci-^p)- ^(^t), it fol- 
lows that /\g^p^^f^^)GPref{P){e) i \J ^eii^p^PiO'T) for some 6' G Pre/(cT). 
Hence, GPref {P){d') ^ \J ^^f^2APY,P{d'T). This contradicts with the definition 
of GPref {P), i.e., we should have GPref {P){e') < y.^ii^P)., P(0't). 

"Only if" part: P c Closure{P) holds by Proposition [5] (1). The left is 




Observing that three 
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to prove that Closure{P) Q P. Otherwise, there exists o e (^2^Py such that 
Closure{P){a) i P(cj). It follows that Closure{P){o) i AeePref{a) GPref (P)(0). 
Thus, there exists d G Pref{o) such that (A{Vt6(2'^p)"-P(0t)|0 g Pref {o)} = 
)Closure{P){o) i GPref{P){d){= W^en^py. P(0t)), which contradicts with the 
definitions of Closure{P) and GPref{P). □ 



Appendix IV: The proof of Theorem [18 



As a preliminary to show Theorem [T8l we need a proposition to characterize 
mv-cu-regular languages. 

Proposition 22. For an mv-co language f : 'L'^' ^ I, the following statements are 
equivalent: 

(1) f is an mv-co-regular language, i.e., f can be accepted by an l-VBA. 

(2) Im{f) is finite and fa is a co-regular language (which can be accepted by a 
Biichi automaton) over ILfor any a G Ifn{f). 

(3) There exist finite elements nii, ■ ■ ■ ,mk inl and finite co-regular languages 
Xi, • • • ,-Ck over Z such that 

f = UlimiA£, 

Proof: (1)=> (2): Assume that / is accepted by an Z-VBA, ^ = (Q, L, d,I,F). 
Let X = Im{I)Ulm.{6)Ulni{F). Since Q and L are finite as two sets, X is finite as a 
subset of I. Let h be the sublattice of I generated by X, then Zi is a finite distributive 
lattice ([jsl. Est]), and any element of Zi can be represented as a finite join of join- 
irreducible elements of Zi. For any m G /7(Zi), let = {Q,^,^m,im,Pm)- Then 
Jim is a classical Biichi automaton and thus Lco{9{m) is cu-regular. 

Let us show that L^{^),„ = L^,(yi„,). This is because, for any w = O1O2 ■ ■ ■ G 

zv G L^(yi„0 
iff 

for any i > 0, there exists qj G Q such that G {qi,Oi+i,qi+i) G 6,„, and 
/ = {i\qi G F,„} is an infinite subset of N; 
iff 

for any i > 0, there exists qj G Q such that I{qo) > m, 6{qi, Oi+i, qi+i) > m, and 
there exists an infinite subset / of N such that F{qj) > m for any ; G /; 
iff 

for any / > 0, there exists qt G Q and infinite subset / of N such that I{qQ) > m 
and /\i^o6{qi,Oi+i,qi+i) A AjejFilj) ^ 
iff 

\/{I{qo) A A^>o5(^?/■,c7,■+l,^?,■+l) A AjejF{lj)\li ^ Q for any i > and / is an 
infinite subset of N} > m; 
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iff 

iff 

W 6 L^{Jl)m- 

Hence, L^{^)m is cu-regular for any m e 

Furthermore, for any a e Im(J) - Im{La}{'^)), there exists finite join-irreducible 
elements nti, • • • , m^t in /i such that a = Vf=i nij. Then 

fa = ni=l /m, - 

Since /„. is cu-regular and a;-regular languages are closed under finite intersection, 
it follows that is (i^-regular. 

(2) => (3) is obvious. 

(3) => (1). Since X,i is a;-regular, there exists a Biichi automaton Mi = 
{Qi,L,6i,Ii,Fi) such that Laj{J{i) = JLu for any / = I,-- - ,k. If we let Q = 
\J{i} X Qi, and define /,F : Q ^ / and 6 : Q X E x Q ^ / as. 



for any {i,cj),{j,p) G Q. This constructs a new mv-cu-Biichi automaton ^ = 
(Q, L, 5, 7, f ). Let us show that L^{M) = /. 

In fact, for any w = O1O2 • • • e L*", for any / > 0, if there exist q\ e Q and 
infinite subset / of N such that J(^^p) A A/>o 5(^?',c7/+i,'?'+i) A /\j^jF{q'.) > 0. By 
definitions of I, F and 6, there exists 1 < /i < k and G Q such that = (/,-, qi) 
and S Iji, {qi,Oi,qi+i) G 6y,, and for any ; G /, qj G Fj^. It follows that w G X;;. 
Hence, by the definition of L^{M), we have 



Proposition 23. Le? fir " , fi (k > 2) be finite mv-co-languages from E'^ into I 
which can be accepted by some l-VDRAs. Then their join /i U • • • U /jt can also be 
accepted by an l-VDRA. 






La,{^){iv) = \/{mi\w G £i} = f{w). 
Hence, / is mv-cu-regular. 



□ 
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Proof: For simplicity, we give the proof for the case k = 2. The other case can be 
proved by induction on k. 

Assume that can be recognized by an /-VDRA ^/ = (Q,, L, 5i, qio, fi) for 
i — 1, 2, respectively. Let us show that / = /i U can also be accepted by some 
/-VDRA. We expUcitly construct such Z-VDRA, ^ = (Q, L, 6, qo, T), as follows, 
where Q = Qi X Q2, 6 = 6i x 62 (that is, b{{qi,q2),o) = {5{qi,o),5{q2,o))), 
qo = {qio, qio), and T : 2Qi^Q2 X 2Qi^Q2 ^ / is defined by. 



^ n ((Hi, Ki)), if H = Hi X Q2 and K = J^i x Q2 

:r2((H2, K2)), if H = Qi X H2 and K = Qi X K2 

ri((Hi, Ki)) V r2((H2, X2)), if H = Hi X Q2 U Qi X H2 and 

K. — K\ X ^2 
0, otherwise. 



By the definition of La,{^), ^^,(^1) and LojiJli), it is obvious that La,{Jli) U 

Conversely, let X = Im{Ti) U Im{Ti) and /i be the sublattice generated by X, 
then li is a finite distributive lattice. The inclusion Im{T^) c is obvious and thus 
Im{La,{Jl)) c /i. To show La,{^) Q L^i^i) U L^{^2), it suffices to show that, 
for any cr € E*" and for any m € /I(/i), if m < L(^(J?l)(cr), then m < Lco{^i){o) or 
m < Lcu(J?l2)(cr). By the definition of Lco{^){o), ifm < La,{^){o), then there exists 
{H,K) G 2Q X 2Q such that m < T{{H,K)), and if we let qi+i = {qi,i+i,q2,i+i) = 
6{qi,o) = {6i{qii,o),62{q2i,o)) fori = 0, 1, such that (3n > O.Vm > n.qm i 
H) A (Vn > O.Bot > n.(|OT £ By the definition of T, we have three cases to 
consider: 

Case 1: H = Hi X Q2, X = Ki X Q2. In this case, we have m < T'{{H,K)) = 
;F((Hi,]<Ci)). Then the sequence qoqi ■ ■ ■ satisfies the condition (3n > O.Vm > 
n.qm = {qim,qin) ^ Hi X Q2) A (Vn > 0.3m > n.q^ = {qim,qim) eK^x Q2). The 
later condition implies that (3n > O.Vm > n.qim ^ Hi) A (Vn > 0.3m > n.qim e 
Ki). By the definition of La,{Jli){o), it follows that :ri((Hi,Ki)) < L<^(yii)((7). 
Hence, m < La,{^i){o). 

Case 2: H = Qi X H2, K = Qi X K2. Similar to Case 1, we can prove that 
m < L^{^2)io). 

Case 3: H = Hi X Q2 U Qi X H2 and K = Ki X K2. In this case, we have 
m < T{{H,K)) = r{{Hi,Ki)) V T{{H2,K2)). Since m G ]l{h), it follows that 
m < !F((Hi,Ki)) or m < ;F((H2,-K2)). Consider the sequence t/ot/i • • • , it satisfies 
the condition (3n > O.Vm > n.qm = {qim,q2m) ^ Hi x Q2 U Qi x H2) A (Vn > 
0.3m > n.qm = iqimrqint) G Ki X K2). The later condition implies that (3n > 
O.Vm > n.qim i Hi) A (Vn > 0.3m > n.qim s Ki) A (3n > O.Vm > n.qim ^ 
H2) A (Vn > 0.3m > n.t^i^ g K2). It follows that :ri((Hi,Ki)) < L^{:7{i){o) and 
r2{{H2,K2)) < U{:R2){o). Hence, m < L<„(J?li)(a) or m < U{:R2){o). 
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This concludes that L^iJl) = L^i^i) U L^C^lj). □ 
The proof of Theorem [iHt 

Let / : L^' — ^ / be an mv-language accepted by an /-VDRA ^ = (Q, Z, 6, qo, '^)- 
By the definition of L,^(J?l), it follows that Im{f) = Ini{La,{'^)) Q Im{T) and 
thus Im{f) = Im{La,{.9i)) is a finite subset of I. For any a G Iifi{f), fa is obvi- 
ous accepted by the classical Rabin automaton = {Q,'L,6,qo,'Fa), and thus 
/ = La,i^) is a cu-regular language. Hence, condition (2) in Proposition [22] holds 
for /, / can be accepted by an l-VBA. 

Conversely, if / can be accepted by an l-VBA, then, by Proposition [223), 
there are finite elements mi, • ■ • , m;c in Z and finite OJ-regular languages Xi, ■ ■ ■ ,-Lk 
over L such that 

For any z, since £,i is cu-regular, there exists a deterministic Rabin automaton 
= (Q, Z, 6, qQ, ACQ accepting i.e., L^(yi) = X,. Construct an l-VDRA m.' 
from ^ as, = (Q, Z, 6, i^o, where : 2^ x 2^ ^ Z is. 



mi, if{H,K)eACC 
0, otherwise. 



By a simple calculation, we have = nii A X;- This shows that m, A Xi 

can be accepted by an Z-VDRA for any i. By Proposition [231 and the equality 
/ = Ui=i ^ -C-h it follows that / can be accepted by an Z-VDRA. □ 
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